GNU Bash up to and including 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote malicious users to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
gnu bash 1.14.0 |
||
gnu bash 1.14.1 |
||
gnu bash 2.0 |
||
gnu bash 2.01 |
||
gnu bash 2.05 |
||
gnu bash 3.0 |
||
gnu bash 4.1 |
||
gnu bash 4.2 |
||
gnu bash 1.14.2 |
||
gnu bash 1.14.3 |
||
gnu bash 2.01.1 |
||
gnu bash 2.02 |
||
gnu bash 3.0.16 |
||
gnu bash 3.1 |
||
gnu bash 4.3 |
||
gnu bash 1.14.4 |
||
gnu bash 1.14.5 |
||
gnu bash 2.02.1 |
||
gnu bash 2.03 |
||
gnu bash 2.04 |
||
gnu bash 3.2 |
||
gnu bash 3.2.48 |
||
gnu bash 1.14.6 |
||
gnu bash 1.14.7 |
||
gnu bash 4.0 |
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Oracle has confirmed that at least 32 of its products are affected by the vulnerability recently discovered in the Bash command-line interpreter – aka the "Shellshock" bug – including some of the company's pricey integrated hardware systems. The database giant issued a security alert regarding the issue on Friday, warning that many Oracle customers will have to wait awhile longer to receive patches. "Oracle is still investigating this issue and will provide fixes for affected products as soo...
UK data watchdog rolls up its sleeves, polishes truncheon
Updated The UK's privacy watchdog is urging organisations to protect their systems against the infamous Shellshock vulnerability in Bash – even though the full scope of the security bug remains unclear. The Shellshock flaw affects Bash up to and including version 4.3. It's a vital component of many Linux and Unix systems, as well as networking kit and embedded devices. It's also present in the latest versions of Apple's OS X for Macs. The flaw allows hackers to execute arbitrary code smuggled ...
Update your gear now to avoid early attacks hitting the web
Sysadmins and users have been urged to patch the severe Shellshock vulnerability in Bash on Linux and Unix systems – as hackers ruthlessly exploit the flaw to compromise or crash computers. But as "millions" of servers, PCs and devices lay vulnerable or are being updated, it's emerged the fix is incomplete. The flaw affects the GNU Bourne Again Shell – better known as Bash – which is a widely installed command interpreter used by many Linux and Unix operating systems – including Apple's ...