[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bash-4.3 Official Patch 26
From: |
Eric Blake |
Subject: |
Re: Bash-4.3 Official Patch 26 |
Date: |
Sat, 27 Sep 2014 00:21:13 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 |
On 09/26/2014 06:58 PM, Nathan McGarvey wrote:
> Pardon my catching up. This (and all the other related patches for
> other past versions) is to remedy CVE-2014-7169 and CVE-2014-6271 was
> remedied by the previous Patch 25 (and related set for all other
> versions.) Is this correct? Or are there still outstanding issues?
If _all_ you apply is patch 25 and 26, then you are STILL vulnerable to
ShellShock (we know of at least CVE-2014-7186 and CVE-2014-7187 that are
also ShellShock attack points, and there are probably more). For a more
comprehensive read, see:
https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00238.html
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature