[CentOS] Critical update for bash released today.

Fri Sep 26 05:50:19 UTC 2014
Keith Keller <kkeller at wombat.san-francisco.ca.us>

On 2014-09-26, Cliff Pratt <enkiduonthenet at gmail.com> wrote:
> Take the case of an Apache Bash CGI. This will have been loaded when Apache
> started, so Apache will have to be restarted to get the new one.

Based on my (admittedly limited) testing I do not believe this is the
case.  Apache exec()'s the interpreter on each request; it doesn't save
the interpreter into its memory space, so each subsequent call should
re-run the interpreter.  That's one of the big reasons mod_perl and
their ilk are popular: they do put the interpreter into httpd's memory,
so the interpreter doesn't have to be called on each invocation.

I don't currently have a vulnerable interpreter available on a web
server, but on the servers where I have an updated bash, the
"vulnerable" message that's produced by the example code doesn't show
up in a bash CGI on a web server I haven't restarted.

# example code
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

--keith

-- 
kkeller at wombat.san-francisco.ca.us