Red Hat just release patch (login required) https://rhn.redhat.com/rhn/errata/details/Details.do?eid=27888
From: [email protected] [mailto:[email protected]] On Behalf Of Andrew S. Baker Sent: Thursday, September 25, 2014 7:40 AM Subject: [NTSysADM] Major Bash Vulnerability -- ALL versions Good morning, There has been a significant vulnerability found a core Unix/Linux component (Bash) which affects ALL known versions of this component across every Unix-like OS. The potential impact of this vulnerability is already being compared to the Heartbleed OpenSSL vunerability from April 2014, but the scope is much larger - approx. 500 million Unix and Unix-like systems (this includes OSX, as well as any Windows installations that are running something like Cygwin to enable Unix commands). This issue is significant because even if the Bash shell is not used manually, it can be called by other components. More details can be found in the following articles: * http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x * http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021/ * http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it * https://blog.cloudflare.com/bash-vulnerability-cve-2014-6271-patched/ * https://community.qualys.com/blogs/securitylabs/2014/09/24/bash-remote-code-execution-vulnerability-cve-2014-6271 * http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ * http://seclists.org/oss-sec/2014/q3/650 * http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html Proof of Concept Validation * https://community.qualys.com/blogs/securitylabs/2014/09/24/bash-remote-code-execution-vulnerability-cve-2014-6271 * https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ Operating System fixes: * http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ * http://www.ubuntu.com/usn/usn-2362-1/ * https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ Regards, -ASB: http://xeeme.com/AndrewBaker
