Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
According to
<https://secure.dshield.org/forums/diary/Attention+NIX+admins+time+to+patch/18703>:
Red Hat has become aware that the patch for CVE-2014-6271 is incomplete.
An attacker can provide specially-crafted environment variables
containing arbitrary commands that will be executed on vulnerable
systems under certain conditions. The new issue has been assigned
CVE-2014-7169.
https://access.redhat.com/articles/1200223
According to the article at redhat, only bash is vulnerable, so (if you
do not have homegrown bashisms in shells with #!/bin/sh as first line)
you should check that ls -l /bin/sh gives "/bin/sh -> dash", and do
dpkg-reconfigure dash if it does not.
Reply to: