[CentOS] Bash still vulnerable

Thu Oct 9 11:26:08 UTC 2014
Lars Hecking <lhecking at users.sourceforge.net>

 According to the vulnerability test script from shellshocker.net, the latest
 bash versions on CentOS5 and CentOS6, 3.2-33.el5_11.4 and 4.1.2-15.el6_5.2,
 resp., are still vulnerable to CVE-2014-6277. In fact, on CentOS6, abrtd will
 send you a nice report about it. Does anyone know if upstream is working on a
 fix?

[root at host ~]# bash ~/shellshock_test.sh
CVE-2014-6271 (original shellshock): not vulnerable
/root/shellshock_test.sh: line 16: 17229 Segmentation fault      (core dumped) bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
[root at host ~]#