Re: CVE-2014-6277, CVE-2014-6278 in stable
2014-10-16 14:17:22 +0200, Thorsten Glaser:
[...]
> while the affix patches avoid exploiting these bugs, mostly,
> they are still there.
>
> http://evolvisforge.blog.tarent.de/archives/93
>
> Currently, *all* bugs are only fixed in sid, precise, trusty.
> The fixes are still not in testing, nor has stable been updated.
[...]
Once the bash parser is no longer exposed to any environment
variable content, those are hardly a bug anymore let alone a
vulnerability.
Even the original CVE-2014-6271 becomes a non-bug once the
parser is no longer exposed.
See
https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00032.html
The only important patch to apply is the one for something that
didn't get any CVE: that bash parses code in any env var whose
content starts with "() {". See there:
http://unix.stackexchange.com/a/157495/22565
for details.
--
Stephane
Reply to: