[BlueOnyx:16028] Re: Bash Vulnerability
Michael Stauber
mstauber at blueonyx.it
Wed Sep 24 17:53:09 -05 2014
Hi Dr. Blunt,
> Wow -- that was a quick fix !!!
Yeah, there are updated bash RPMs out for CentOS 5, 6, 7 and also SL 6.
So we're all good and a "yum update" will take care of this.
And yes: The bug is pretty stupid. Here is more info about it:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
When I learned about it this morning I spent some time thinking if
BlueOnyx was affected and to which degree.
In the end there might have been a way via suPHP (complicated, but
*maybe* possible if the right combination of factors come together).
There are also a methods for the GUI to spawn shells to execute a
limited subset of allowed binaries. But the way that this is done
usually starts with a pretty clean sheet of envelope variables. And then
again: All cases where the GUI does that require that someone knows the
admin password, or that of a similarly privileged user.
But it's good that the fixed RPM's are out so quickly. That's indeed a
nice surprise.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list