My notification came in this morning, but the patch had yesterday's date, but it looks like it's the fix.
The ZDNet article said: Of course, the real fix will be to replace the broken Bash with a new, secure one. As of the morning of September 24, Bash's developers have patched all current versions<http://lists.gnu.org/archive/html/bug-bash/2014-09/threads.html> of Bash, from 3.0 to 4.3. At this time, only Debian<https://lists.debian.org/debian-security-announce/2014/msg00220.html> and Red Hat<https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271> appear to have packaged patches ready to go. -Paul From: [email protected] [mailto:[email protected]] On Behalf Of Rod Trent Sent: Thursday, September 25, 2014 9:38 AM To: [email protected] Subject: RE: [NTSysADM] Major Bash Vulnerability -- ALL versions Is this the one newer than the one released yesterday? Red Hat is working on another patch. The one yesterday didn't fix the issue entirely. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Thursday, September 25, 2014 10:33 AM To: '[email protected]' Subject: RE: [NTSysADM] Major Bash Vulnerability -- ALL versions Red Hat just release patch (login required) https://rhn.redhat.com/rhn/errata/details/Details.do?eid=27888 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Andrew S. Baker Sent: Thursday, September 25, 2014 7:40 AM Subject: [NTSysADM] Major Bash Vulnerability -- ALL versions Good morning, There has been a significant vulnerability found a core Unix/Linux component (Bash) which affects ALL known versions of this component across every Unix-like OS. The potential impact of this vulnerability is already being compared to the Heartbleed OpenSSL vunerability from April 2014, but the scope is much larger - approx. 500 million Unix and Unix-like systems (this includes OSX, as well as any Windows installations that are running something like Cygwin to enable Unix commands). This issue is significant because even if the Bash shell is not used manually, it can be called by other components. More details can be found in the following articles: * http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x * http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021/ * http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it * https://blog.cloudflare.com/bash-vulnerability-cve-2014-6271-patched/ * https://community.qualys.com/blogs/securitylabs/2014/09/24/bash-remote-code-execution-vulnerability-cve-2014-6271 * http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ * http://seclists.org/oss-sec/2014/q3/650 * http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html Proof of Concept Validation * https://community.qualys.com/blogs/securitylabs/2014/09/24/bash-remote-code-execution-vulnerability-cve-2014-6271 * https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ Operating System fixes: * http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ * http://www.ubuntu.com/usn/usn-2362-1/ * https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ Regards, -ASB: http://xeeme.com/AndrewBaker
