CVE-2014-6271 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271> Summary: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Published: 9/24/2014 2:48:04 PM
CVSS Severity: 10.0 <http://nvd.nist.gov/cvss.cfm?name=CVE-2014-6271&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C)&version=2.0> HIGH CVE-2014-6271 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271> at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271> Note this applies to all versions of bash. Red Hat has published fixes. I haven't seen any for SuSE Linux or Mac OS X, or anything else Easy test: $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test $ https://bugzilla.redhat.com/show_bug.cgi?id=1141597 <https://bugzilla.redhat.com/show_bug.cgi?id=1141597> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/> ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
