发信人: philhu(phil), 信区: GNULinux
标 题: Bash 严重漏洞
发信站: 饮水思源 (2014年09月25日01:42:54 星期四)
Bash 刚刚爆出一个非常严重的注入漏洞,在定义环境参数函数的时候:
> VAR=() { ignored; }; /bin/id
Bash 居然会执行后面的 /bin/id。
一些不提供 Shell 的 SSH,或者 CGI 是用 bash 写的,都会受到影响。
各个版本的 patch 已经出来了:
http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018
http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052
http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039
http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012
http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048
http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025
GNU 官方更新也快了。
Original Message:
Subject: CVE-2014-6271: remote code execution through bash
From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 24 Sep 2014 16:05:51 +0200
Stephane Chazelas discovered a vulnerability in bash, related to how
environment variables are processed: trailing code in function
definitions was executed, independent of the variable name.
In many common configurations, this vulnerability is exploitable over
the network.
Chet Ramey, the GNU bash upstream maintainer, will soon release
official upstream patches.
--
※ 来源:·饮水思源 bbs.sjtu.edu.cn·[FROM: 219.228.106.234]
标 题: Bash 严重漏洞
发信站: 饮水思源 (2014年09月25日01:42:54 星期四)
Bash 刚刚爆出一个非常严重的注入漏洞,在定义环境参数函数的时候:
> VAR=() { ignored; }; /bin/id
Bash 居然会执行后面的 /bin/id。
一些不提供 Shell 的 SSH,或者 CGI 是用 bash 写的,都会受到影响。
各个版本的 patch 已经出来了:
http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018
http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052
http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039
http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012
http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048
http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025
GNU 官方更新也快了。
Original Message:
Subject: CVE-2014-6271: remote code execution through bash
From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 24 Sep 2014 16:05:51 +0200
Stephane Chazelas discovered a vulnerability in bash, related to how
environment variables are processed: trailing code in function
definitions was executed, independent of the variable name.
In many common configurations, this vulnerability is exploitable over
the network.
Chet Ramey, the GNU bash upstream maintainer, will soon release
official upstream patches.
--
※ 来源:·饮水思源 bbs.sjtu.edu.cn·[FROM: 219.228.106.234]
No comments:
Post a Comment