D. J. Bernstein
2014-09-26 03:31:16 UTC
In case anyone hasn't heard, there's an amazing bash bug known as
"shellshock" that executes arbitrary environment variables as code:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
There are many ways for attackers to pass information into environment
variables via ssh, apache, qmail, et al. My recommendations are to
* upgrade bash and
* change /bin/sh to something simpler (such as dash), if you're on a
system that uses bash as /bin/sh.
If you've manually copied shells into chroot environments then you
should make sure to upgrade those copies as well.
---Dan
"shellshock" that executes arbitrary environment variables as code:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
There are many ways for attackers to pass information into environment
variables via ssh, apache, qmail, et al. My recommendations are to
* upgrade bash and
* change /bin/sh to something simpler (such as dash), if you're on a
system that uses bash as /bin/sh.
If you've manually copied shells into chroot environments then you
should make sure to upgrade those copies as well.
---Dan