[CentOS-devel] Critical update for bash was released today.

Thu Sep 25 19:41:10 UTC 2014
Nico Kadel-Garcia <nkadel at gmail.com>

On Thu, Sep 25, 2014 at 11:51 AM, Les Mikesell <lesmikesell at gmail.com> wrote:
> On Wed, Sep 24, 2014 at 4:50 PM, Nico Kadel-Garcia <nkadel at gmail.com> wrote:
>> Given the mod_cgi effects, especially for Nagios and other servers, I'd urge caution and stage environment testing before mass deployment.
>>
>
> What is likely to break?   And what things are likely to allow the
> attack?  That is, besides ssh command restrictions, where can you set
> arbitrary env variables where you wouldn't have had access to execute
> a shell command directly.

It's very difficult to predict what will break in some weird flipping
environments. The canonical cartoon about this is
http://xkcd.com/1172/ . As I mentioned, Nagios and its use of
'mod_cgi' may be at risk.

Thinking about it, the git CentOS repository could possibly be
vulnerable, depending on just how the git credentials are managed
there I'd urge a check.