Remotely exploitable bash bug

[Update: 9/25/2014 – A quick check shows that opensuse has a patch for this for 13.1, and presumably for 12.3.  You should update your system as soon as possible.  An email message in the factory mailing list explains why this is not yet fixed for factor and contains a pointer to where you can update bash if your system is running public services (such as a web server.]

This will be brief.  Information is coming out about CVE-2014-6271, a bash bug which is potentially remotely exploitable.

I suggest you do a web search for “CVE-2014-6271” if you are looking for information.  Information on this bug was embargoed until a few hours ago, so better information will soon start turning up.

The bug itself is with the use (and mishandling) of environmental variables, particularly when they define shell functions.  The concern is that this might be a vector of attack via shell scripts that can be invoked remotely, such as cgi-scripts on web servers.

I’m not personally concerned.  I am not running a web server, and I doubt that I have any easy attack points for this bug.

There’s no information on when opensuse will fix this, though they are working on it.  The bug is mentioned in the opensuse mailing list, which is where I heard about it.


About Neil Rickert

Retired mathematician and computer scientist who dabbles in cognitive science.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: