On 2/10/2014 6:15 PM, Brent Wallis wrote: > Frankly, I think all vendors have been caught out by this, especially > over the latest 2 CVEs (6277 and 6278): > > - Red Hats response on 6278 is a little ambiguous IMHO: > > From: > https://access.redhat.com/security/cve/CVE-2014-6278 > > “Red Hat believes that changes introduced via updates RHSA-2014:1306, > RHSA-2014:1311, and RHSA-2014:1312 that prevent Bash from defining new > functions based on arbitrary environment variables sufficiently mitigate > this issue. This statement will be updated once more details are available.”
I keep checking regularly [much more than normal at this time] for updates, I'm not convinced that we are done yet, even on Linux (Debian in my case). > - NetApp and VMware are both exposed in small ways on some products but > fixes are not available as yet. Not good. > - Cisco have some work to do as well: > http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash They seem to have a great many products to deal with, but again, they are a huge company, they should have the resources to deal with this in a much more timely manner. > TBH I am surprised at the pervasive use of GNU bash. Yes. A. _______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
