[CentOS] Critical update for bash released today.

Cliff Pratt enkiduonthenet at gmail.com
Fri Sep 26 23:27:43 UTC 2014


On Fri, Sep 26, 2014 at 6:28 PM, James Hogarth <james.hogarth at gmail.com>
wrote:

> On 26 Sep 2014 05:46, "Cliff Pratt" <enkiduonthenet at gmail.com> wrote:
> >
> > Take the case of an Apache Bash CGI. This will have been loaded when
> Apache
> > started, so Apache will have to be restarted to get the new one. There
> may
> > be other similar cases. So the best thing is to reboot.
> >
>
> This is false and a major misunderstanding of the vulnerability.
>
> 1) the vulnerability is just during initialisation of bash. Once it is
> running it is beyond the vulnerable stage and needs no restarting
> 2) in a CGI of #!/bin/bash or for a system call with any other language for
> CGI bash gets executed on demand... It does not do what you say...
>

You are 100% correct, sir. Sorry about the noise......

Cheers,

Cliff



More information about the CentOS mailing list