On Thu, Sep 25, 2014 at 11:51 AM, Les Mikesell <lesmikesell at gmail.com> wrote: > On Wed, Sep 24, 2014 at 4:50 PM, Nico Kadel-Garcia <nkadel at gmail.com> wrote: >> Given the mod_cgi effects, especially for Nagios and other servers, I'd urge caution and stage environment testing before mass deployment. >> > > What is likely to break? And what things are likely to allow the > attack? That is, besides ssh command restrictions, where can you set > arbitrary env variables where you wouldn't have had access to execute > a shell command directly. It's very difficult to predict what will break in some weird flipping environments. The canonical cartoon about this is http://xkcd.com/1172/ . As I mentioned, Nagios and its use of 'mod_cgi' may be at risk. Thinking about it, the git CentOS repository could possibly be vulnerable, depending on just how the git credentials are managed there I'd urge a check.