[CentOS-devel] Critical update for bash was released today.

Sat Sep 27 02:40:57 UTC 2014
Jim Perrin <jperrin at centos.org>


On 09/26/2014 09:12 PM, Nico Kadel-Garcia wrote:
> On Fri, Sep 26, 2014 at 9:34 AM, Karanbir Singh <mail-lists at karan.org> wrote:
>> On 09/25/2014 08:41 PM, Nico Kadel-Garcia wrote:
>>
>>> Thinking about it, the git CentOS repository could possibly be
>>> vulnerable, depending on just how the git credentials are managed
>>> there I'd urge a check.
>>
>> no shell out happens at git.centos.org
>>
>> gitweb however, is exposed. As is anything that does a system() call.
> 
> Cool. I'm curious how you do it, but would understand not wanting to
> discuss that kind of security detail on a public mailing list.
> 
> Thinking further about it, if the web side uses something like
> Apache's 'mod_cgi', there are some separate risks there as well. I'd
> hope there's no inappropriate write access for the 'httpd' user, even
> if you're vulnerable. (I mention that for folks not as familiar with
> escalation attacks.)


http://i.imgur.com/1NCi07n.jpg



-- 
Jim Perrin
The CentOS Project | http://www.centos.org
twitter: @BitIntegrity | GPG Key: FA09AD77