[Triumf-linux-managers] [ Technical Alert ] Bash code-injection vulnerability
Andrew Daviel
advax at triumf.ca
Wed Sep 24 16:20:58 PDT 2014
On Wed, 24 Sep 2014, Kelvin Raywood wrote:
> More info, including a table of version numbers of the fixed packages
> is available at:
>
> https://access.redhat.com/articles/1200223
There is a very simple test described in
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
along with a list of vulnerable scenarios (e.g regular DHCP client with a
compromised server)
viz.
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list