[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2014-6277, CVE-2014-6278

Hi all,

I see there are two new CVE's for bash: CVE-2014-6277[1], CVE-2014-6278[2]. I note
that the security tracker shows all versions of debian as "vulnerable" however the Notes
section on 6277, 6278 shows:

"The underlying parser flaw has not yet been disclosed and might
still exist in latest released bash packages. However Florian
Weimer's variables-affix.patch patch applied in Debian prevents
exploitation of this issue by making bash only use environment
variables with specific names (BASH_FUNC_*()) to define functions
from its environment."

So I am confused. I think what I am reading here is that if you applied the latest patches to bash [3]
you are not vulnerable to CVE-2014-6277. CVE-2014-6278. Running the test outlined on Icamtuf.blogspot.co.nz [4] seemed to confirm that.

Any insights would be appreciated.



Reply to: