Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Hi everyone,
Bash Code Injection Vulnerability via Specially Crafted Environment
Variables (CVE-2014-6271)
https://access.redhat.com/articles/1200223
My current Debian setup is vulnerable, as shown below:
==============================================
slitt@mydesq2:~$ env x='() { :;}; \
echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
slitt@mydesq2:~$ uname -a
Linux mydesq2 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
GNU/Linux slitt@mydesq2:~$ cat /etc/issue
Debian GNU/Linux 7 \n \l
slitt@mydesq2:~$ bash --version
GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
slitt@mydesq2:~$
==============================================
Does anyone know if there's an fix for Debian's bash, and how to install
it?
Thanks,
SteveT
Steve Litt * http://www.troubleshooters.com/
Troubleshooting Training * Human Performance
Reply to: