Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Hello
This weakness than is sufficient to protect them do as follows.
apt-get update and apt-get install --only-package bash
On Thu, Sep 25, 2014 at 10:18 AM, Håkon Alstadheim
<hakon@alstadheim.priv.no> wrote:
> According to
> <https://secure.dshield.org/forums/diary/Attention+NIX+admins+time+to+patch/18703>:
> Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An
> attacker can provide specially-crafted environment variables containing
> arbitrary commands that will be executed on vulnerable systems under certain
> conditions. The new issue has been assigned CVE-2014-7169.
> https://access.redhat.com/articles/1200223
>
> According to the article at redhat, only bash is vulnerable, so (if you do
> not have homegrown bashisms in shells with #!/bin/sh as first line) you
> should check that ls -l /bin/sh gives "/bin/sh -> dash", and do
> dpkg-reconfigure dash if it does not.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject
> of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 5423C1C4.1090301@alstadheim.priv.no">https://lists.debian.org/[🔎] 5423C1C4.1090301@alstadheim.priv.no
>
Reply to: