Arch Linux Security Advisory 201409-2 ===================================== Severity: Critical Date : 2014-09-26 CVE-ID : CVE-2014-6271, CVE-2014-7169 Package : bash Type : Remote code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package bash before version 4.3.026-1 is vulnerable to remote code execution. Resolution ========== Upgrade to 4.3.026-1. $ pacman -Syu "bash>=4.3.026-1" The problem has not been fixed upstream yet, though some patches were released [1]. Workaround ========== It is possible to work around this issue by replacing bash with a non-affected shell, for example dash, when specifics bash features are not needed. Description =========== GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. References ========== [1] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 https://bugs.archlinux.org/task/42109 http://lcamtuf.blogspot.fr/2014/09/quick-notes-about-bash-bug-its-impact.htm...