Re: [SECURITY] [DSA 3032-1] bash security update

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 3032-1] bash security update
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Thu, 25 Sep 2014 10:54:38 -0300
Message-id: <[🔎] 20140925135438.GD10569@khazad-dum.debian.net>
In-reply-to: <[🔎] 5423E3B8.4030401@cyconet.org>
References: <87bnq5glkh.fsf@mid.deneb.enyo.de> <[🔎] 5423E3B8.4030401@cyconet.org>

On Thu, 25 Sep 2014, Jan Wagner wrote:
> is there still work on CVE-2014-7169, as the fix for CVE-2014-6271
> seems incomplete?

Work on that is ongoing, AFAIK.

AFAIK, exploits for CVE-2014-7169 are already public (one certainly worked
here, with the CVE-2014-6271 patch applied), and there are reports of
ongoing scans (and possibly attacks) for CVE-2014-6271 since at least 12
hours ago.  I didn't see anything about ongoing scans for CVE-2014-7169 yet.

Some of those scans are benign (origin are well known white-hats), some are
not.

I suggest everyone to do a spring cleanup in the login shells for system
accounts, and to deploy mitigation.

BTW: sudo is a viable local attack vector for this vulnerability.

https://news.ycombinator.com/item?id=8365158

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 3032-1] bash security update
  - From: Michael Stone <mstone@debian.org>
- Re: [SECURITY] [DSA 3032-1] bash security update
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Re: [SECURITY] [DSA 3032-1] bash security update
  - From: Jan Wagner <waja@cyconet.org>

Prev by Date: Re: [SECURITY] [DSA 3032-1] bash security update
Next by Date: Re: [SECURITY] [DSA 3032-1] bash security update
Previous by thread: Re: [SECURITY] [DSA 3032-1] bash security update
Next by thread: Re: [SECURITY] [DSA 3032-1] bash security update
Index(es):
- Date
- Thread