Vulnerability in Bash: remote code execution The
vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI scripts that use or invoke Bash in any way – including any child processes spawned by the scripts – are vulnerable to remote-code injection. OpenSSH and some DHCP clients are also affected on machines that use Bash.
You can check if you're vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words "busted", then you're at risk. If not, then either your Bash is fixed or your shell is using another interpreter.
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
<smug> Debian seems OK </smug>.
Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk – Dash isn't vulnerable. Zsh seems also OK.
Update: Critical update for bash released today.
1.
CentOS
2. update ">=app-shells/bash-4.2_p48-r1" for Gentoo