UPDATE 2: Updated bash packages that address CVE-2014-7169 are now available. With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure. Additionally two out-of-bounds array accesses in the bash parser are fixed. Please check the following links: CentOS: https://access.redhat.com/node/1200223 Ubuntu: http://www.ubuntu.com/usn/usn-2363-2/ Debian: https://www.debian.org/security/2014/dsa-3035 UPDATE from Redhat: Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. The patches are being worked upon conjunction by upstream developers as a critical priority. We will keep you updated regarding this. You can keep track on https://security-tracker.debian.org/tracker/CVE-2014-7169 A vulnerability named CVE-2014-6271 was made public yesterday which was discovered last week. This vulnerability in bash lets an attacker to execute arbitrary code if he is allowed to pass commands to bash. As bash is a common shell for evaluating and executing commands from other programs, this vulnerability may affect many applications that evaluate user input, and call other applications via a shell. Bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Following are the mitigating steps you can take:
- Upgrade to a new version of bash.
- Replace bash with an alternate shell.
- Limit access to vulnerable services.
- Filter inputs to vulnerable services.