This is an information regarding a security issue in the Unix Bash (Bourne Again Shell) commonly used in Linux environments as well as Mac OS.
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
This CVE describes the incomplete fix of CVE-2014-6271 in the first round of patches
For further information, please refer to the References section.
Due to the fact that Fabasoft products do not use CGI Scripts on Linux environments they are not directly affected by this vulnerability.
We strongly suggest you immediately install the latest patches for the bash executable on all systems!
All major Linux distribution have released patches, both for the original and the followup CVE. So far there are no known problems with either of these patches. As of writing this article the second patch has not yet been distributed to all patch mirrors, due to this it is advised to verify the version of the patch provided from your mirror.
- NVD - Vulnerability Summary for CVE-2014-6271
- NVD - Vulnerability Summary for CVE-2014-7169
- CVE - CVE-2014-6271
- CVE - CVE-2014-7169
- Update on CVE-2014-6271: Vulnerability in bash (shellshock)
- All Fabasoft products running on an Linux environment