According to the vulnerability test script from shellshocker.net, the latest
bash versions on CentOS5 and CentOS6, 3.2-33.el5_11.4 and 4.1.2-15.el6_5.2,
resp., are still vulnerable to CVE-2014-6277. In fact, on CentOS6, abrtd will
send you a nice report about it. Does anyone know if upstream is working on a
fix?
[root at host ~]# bash ~/shellshock_test.sh
CVE-2014-6271 (original shellshock): not vulnerable
/root/shellshock_test.sh: line 16: 17229 Segmentation fault (core dumped)
bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
[root at host ~]#
On 10/09/2014 12:26 PM, Lars Hecking wrote:> > According to the vulnerability test script from shellshocker.net, the latest > bash versions on CentOS5 and CentOS6, 3.2-33.el5_11.4 and 4.1.2-15.el6_5.2, > resp., are still vulnerable to CVE-2014-6277. In fact, on CentOS6, abrtd will > send you a nice report about it. Does anyone know if upstream is working on a > fix? >https://bugzilla.redhat.com/show_bug.cgi?id=1147189 has conversation and details that you might find interesting. -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc
I noticed this as well but did some homework ;-) https://bugzilla.redhat.com/show_bug.cgi?id=1147189 https://access.redhat.com/security/cve/CVE-2014-6277 If I understand it correctly they think it's not exploitable anymore. Still think it should get patched immediately as there is an upstream patch available and it avoids any more questions and confusion about this problem. Kai