CVE-2014-6271 -- please upgrade bash asap if you're using it
21 views
Skip to first unread message
Sitaram Chamarty
Sep 24, 2014, 8:41:32 PM9/24/14
to Gitolite Google Groups, gitolite...@googlegroups.com
Hi all,
Several URLs exist, here's one: https://access.redhat.com/security/cve/CVE-2014-6271
To test:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Affects gitolite. Happens before gitolite-shell gets control, so it's
not even *logged* by gitolite!
Upgrade bash asap and re-test as above. Or change the shell for the
gitolite hosting user to dash or zsh.
Note: some places suggest "ln -sf /bin/<some other shell> /bin/sh".
That won't work. Sshd uses the hosting user's shell, and if that is
explicitly named as "/bin/bash", it'll run bash.
Several URLs exist, here's one: https://access.redhat.com/security/cve/CVE-2014-6271
To test:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Affects gitolite. Happens before gitolite-shell gets control, so it's
not even *logged* by gitolite!
Upgrade bash asap and re-test as above. Or change the shell for the
gitolite hosting user to dash or zsh.
Note: some places suggest "ln -sf /bin/<some other shell> /bin/sh".
That won't work. Sshd uses the hosting user's shell, and if that is
explicitly named as "/bin/bash", it'll run bash.
Reply all
Reply to author
Forward
0 new messages