[CentOS] Critical update for bash released today.
Keith Keller
kkeller at wombat.san-francisco.ca.usFri Sep 26 05:50:19 UTC 2014
- Previous message: [CentOS] Critical update for bash released today.
- Next message: [CentOS] Critical update for bash released today.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 2014-09-26, Cliff Pratt <enkiduonthenet at gmail.com> wrote: > Take the case of an Apache Bash CGI. This will have been loaded when Apache > started, so Apache will have to be restarted to get the new one. Based on my (admittedly limited) testing I do not believe this is the case. Apache exec()'s the interpreter on each request; it doesn't save the interpreter into its memory space, so each subsequent call should re-run the interpreter. That's one of the big reasons mod_perl and their ilk are popular: they do put the interpreter into httpd's memory, so the interpreter doesn't have to be called on each invocation. I don't currently have a vulnerable interpreter available on a web server, but on the servers where I have an updated bash, the "vulnerable" message that's produced by the example code doesn't show up in a bash CGI on a web server I haven't restarted. # example code env x='() { :;}; echo vulnerable' bash -c "echo this is a test" --keith -- kkeller at wombat.san-francisco.ca.us
- Previous message: [CentOS] Critical update for bash released today.
- Next message: [CentOS] Critical update for bash released today.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list