John Darrington <j...@darrington.wattle.id.au> skribis:
> On Tue, Sep 20, 2016 at 04:55:30PM -0400, Leo Famulari wrote:
> Any advice on how we should handle CVE-2016-0634?
> Like the comment there says, it is only a problem if the machine has
> already been owned,
… or if a privilege application like a DHCP client can be made to set
the host name to $(something bad), which was apparently possible at some
> so I don't see what the issue is. If there is an issue it is for the
> bash maintainers to patch.
Chet proposed a patch:
IIUC, the just-released 4.4 isn’t affected, right?
We should at least update it in core-updates, but core-updates won’t be
merged until we have fixed that Binutils/MIPS issue (which shouldn’t be
too hard, but we never know!).
I’m somewhat unavailable these days; could someone look into it?
Thanks for the heads-up Leo, as usual!