<html><head></head><body>dhcpd passes client-proved values to shell scripts as environment variables. Also going to be a concern in CGI setups.<br><br><div class="gmail_quote">On September 24, 2014 3:08:42 PM EDT, Mark Farver <mfarver@mindbent.org> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<p dir="ltr">I think it is a stretch to label this remotely exploitable. If an attacker has remote control of environment variables you have bigger problems.</p>
<p dir="ltr">Mark</p>
<div class="gmail_quote">On Sep 24, 2014 2:50 PM, "John Wesorick" <<a href="mailto:john@wesorick.com">john@wesorick.com</a>> wrote:<br type="attribution" /><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><a href="http://www.ubuntu.com/usn/usn-2362-1/" target="_blank">Ubuntu</a> and <a href="https://lists.debian.org/debian-security-announce/2014/msg00220.html" target="_blank">Debian</a> were patched as well.</div><div class="gmail_extra"><br /><div class="gmail_quote">On Wed, Sep 24, 2014 at 2:44 PM, Kevin McCarthy <span dir="ltr"><<a href="mailto:signals42@gmail.com" target="_blank">signals42@gmail.com</a>></span> wrote:<br /><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Figured I'd pass this along to the mailing list since it looks quite serious:<br /><br /><a
href="http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html" target="_blank">http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html</a><br /><br /></div>Almost every Linux install is vulnerable to a potentially-remote execution exploit involving bash. I know it has been patched in Gentoo and RHEL. It's probably been fixed in most other distros by now, too. Time to patch!<span><font color="#888888"><br /><br /></font></span></div><span><font color="#888888">-Kevin<br /><br /></font></span></div>
<br />_______________________________________________<br />
grlug mailing list<br />
<a href="mailto:grlug@grlug.org" target="_blank">grlug@grlug.org</a><br />
<a href="http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug" target="_blank">http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug</a><br /></blockquote></div><br /></div>
<br />_______________________________________________<br />
grlug mailing list<br />
<a href="mailto:grlug@grlug.org">grlug@grlug.org</a><br />
<a href="http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug" target="_blank">http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug</a><br /></blockquote></div>
<p style="margin-top: 2.5em; margin-bottom: 1em; border-bottom: 1px solid #000"></p><pre class="k9mail"><hr /><br />grlug mailing list<br />grlug@grlug.org<br /><a href="http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug">http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug</a></pre></blockquote></div><br>
-- <br>
Sent from my Android device with K-9 Mail. Please excuse my brevity.</body></html>