This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: [ANNOUNCEMENT] Updated: bash-4.1.14-7
- From: Andy <AndyMHancock at gmail dot com>
- To: cygwin at cygwin dot com
- Date: Wed, 1 Oct 2014 01:42:39 +0000 (UTC)
- Subject: Re: [ANNOUNCEMENT] Updated: bash-4.1.14-7
- Authentication-results: sourceware.org; auth=none
- References: <announce dot 5429CDA3 dot 8080300 at byu dot net>
Eric Blake (cygwin <ebb9 <at> byu.net> writes:
> This is a minor rebuild which picks up an upstream patch to fix
> CVE-2014-7169 and all other ShellShock attacks (4.1.13-6 was also safe,
> but used a slightly different downstream patch that used '()' instead of
> '%%' in environment variables, and which was overly restrictive on
> importing functions whose name was not an identifier). There are still
> known parser crashers (such as CVE-2014-7186, CVE-2014-7187, and
> CVE-2014-6277) where upstream will probably issue patches soon; but
> while those issues can trigger a local crash, they cannot be exploited
> for escalation of privilege via arbitrary variable contents by this
> build. Left unpatched, a vulnerable version of bash could allow
> arbitrary code execution via specially crafted environment variables,
> and was exploitable through a number of remote services, so it is highly
> recommended that you upgrade
I found this to be a good test site, with a comprehensive list of
exploits and explicit description of what to expect in order to decide
whether an exploit is still active: http://shellshocker.net
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple