oss-sec mailing list archives
Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability)
From: Ramon de C Valle <rcvalle () vmware com>
Date: Mon, 29 Sep 2014 17:27:24 +0000
On Sep 26, 2014, at 5:52 PM, Bryan Drewery <bdrewery () FreeBSD org> wrote:
On 9/26/2014 9:13 AM, Christos Zoulas wrote:On Sep 26, 1:47pm, john.haxby () oracle com (John Haxby) wrote: -- Subject: Re: [oss-security] Re: CVE-2014-6271: remote code execution throu | It's not so much the known attacks -- redefining ls, unset, command, | typeset, declare, etc -- it's the future parser bugs that we don't yet | know about. | | A friend of mine said this could be a vulnerability gift that keeps on | giving. I think that at this point the conservative approach is best, so until the bash author figures what the best solution is, the feature is disabled by default for NetBSD. It is not wise to expose bash's parser to the internet and then debug it live while being attacked. christosFreeBSD has taken a similar approach. We have used Christos' patch and disabled the feature by default. https://svnweb.freebsd.org/changeset/ports/369341 Regards, Bryan Drewery
In addition to Florian’s and upstream's patches, VMware has also used Christos’ patch and disabled the feature by default on all its virtual appliances across all its product line. -- Ramon de C Valle VMware Product Security Engineering
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability), (continued)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Osmond Sun (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Chet Ramey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Kobrin, Eric (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Chet Ramey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Osmond Sun (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Giles Coochey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Chet Ramey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Giles Coochey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Ed Prevost (Sep 29)
- RE: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Sona Sarmadi (Sep 29)
- Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Ramon de C Valle (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Loganaden Velvindron (Sep 27)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Chet Ramey (Sep 27)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Christos Zoulas (Sep 27)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Loganaden Velvindron (Sep 27)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Rich Felker (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Kurt Seifried (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Rich Felker (Sep 27)