John Darrington <> skribis:

> On Tue, Sep 20, 2016 at 04:55:30PM -0400, Leo Famulari wrote:
>      Any advice on how we should handle CVE-2016-0634?
> Like the comment there says, it is only a problem if the machine has
> already been owned,

… or if a privilege application like a DHCP client can be made to set
the host name to $(something bad), which was apparently possible at some

> so I don't see what the issue is.  If there is an issue it is for the
> bash maintainers to patch.

Chet proposed a patch:

IIUC, the just-released 4.4 isn’t affected, right?

We should at least update it in core-updates, but core-updates won’t be
merged until we have fixed that Binutils/MIPS issue (which shouldn’t be
too hard, but we never know!).

I’m somewhat unavailable these days; could someone look into it?

Thanks for the heads-up Leo, as usual!


Reply via email to