[Baypiggies] ALERT Real Bash vulnerability
Glen Jarvis
glen at glenjarvis.com
Thu Sep 25 02:24:47 CEST 2014
BSD isn't immune... OSX either... (even after all OSX security patches
applied)...
Try on your OSX laptops...
If you're a brew user, good workaround:
"brew update && brew install bash"
G
On Wed, Sep 24, 2014 at 5:22 PM, Glen Jarvis <glen at glenjarvis.com> wrote:
> Believe it or not..
>
> "What the....."
>
> I've patched servers all afternoon...
>
>
> Bash (the program that is the command line where you type 'python') is
> actually vulnerable to injection attacks. If you're running a webserver,
> for example, you could be in trouble (environment variables through
> webserver headers can execute commands directly on machine).
>
>
> To test:
>
> prompt> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>
>
> This is bad:
>
> vulnerable
> this is a test
>
>
>
> This is good:
>
> bash: warning: x: ignoring function definition attempt
>
> bash: error importing function definition for `x'
>
> this is a test
>
>
>
>
> Details:
>
> #86144 CVE-2014-6271: remote code execution through bash
>
>
> omg:
> https://news.ycombinator.com/item?id=8361574
> wtf:
> http://seclists.org/oss-sec/2014/q3/649
> a good explanation:
> http://seclists.org/oss-sec/2014/q3/650
> *mgrosso <https://repairpal.slack.com/team/mgrosso>**[1:26 PM]*fyi.
>
>
>
> --
>
> "You grab mindshare by being there."
>
> -- Alex Martelli
>
> Bay Area Python Interest Group Talk
>
> 24-Oct, 2013
>
--
"You grab mindshare by being there."
-- Alex Martelli
Bay Area Python Interest Group Talk
24-Oct, 2013
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/baypiggies/attachments/20140924/193ed341/attachment-0001.html>
More information about the Baypiggies
mailing list