Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

[Brian <ad44@cityscape.co.uk>]

On Wed 24 Sep 2014 at 16:52:50 -0400, Steve Litt wrote:

> Bash Code Injection Vulnerability via Specially Crafted Environment
> Variables (CVE-2014-6271)
> 
> https://access.redhat.com/articles/1200223

[Snip]

Nearly 50 minutes before your mail we had:

  To: debian-user@lists.debian.org
  From: Iain M Conochie <iain@thargoid.co.uk>
  Subject: bad bash bug 
  Received: from bendel.debian.org ([127.0.0.1])  by localhost (lists.debian.org
          [127.0.0.1]) (amavisd-new, port 2525)   with ESMTP id nEctwXCEm6Rb for
          <lists-debian-user@bendel.debian.org>;  Wed, 24 Sep 2014 20:07:06 +0000 (UTC)

6 hours prior to that there was:

  To: debian-security-announce@lists.debian.org
  From: Florian Weimer <fw@deneb.enyo.de>
  Received: from bendel.debian.org ([127.0.0.1])
          by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525)
          with ESMTP id PC1cdgYAoqvP
          for <lists-debian-security-announce@bendel.debian.org>;
          Wed, 24 Sep 2014 14:06:15 +0000 (UTC)

> Does anyone know if there's an fix for Debian's bash, and how to install
> it? 

As shown above - at least two people knew. Reading debian-user isn't
obligatory, even if you subscribe to it. You should consider subscribing
to debian-security-announce.

Installing a security upgrade? We have this little program called
apt-get and a security archive. I'd advise you to become familiar with
the ins and outs of Debian.