Hi all,
I see there are two new CVE's for bash: CVE-2014-6277[1], CVE-2014-6278[2]. I note
that the security tracker shows all versions of debian as "vulnerable" however the Notes
section on 6277, 6278 shows:
"The underlying parser flaw has not yet been disclosed and might
still exist in latest released bash packages. However Florian
Weimer's variables-affix.patch patch applied in Debian prevents
exploitation of this issue by making bash only use environment
variables with specific names (BASH_FUNC_*()) to define functions
from its environment."
So I am confused. I think what I am reading here is that if you applied the latest patches to bash [3]