[ANNOUNCEMENT] Updated: bash-4.1.14-7
Andy
AndyMHancock@gmail.com
Wed Oct 1 01:43:00 GMT 2014
Eric Blake (cygwin <ebb9 <at> byu.net> writes:
> This is a minor rebuild which picks up an upstream patch to fix
> CVE-2014-7169 and all other ShellShock attacks (4.1.13-6 was also safe,
> but used a slightly different downstream patch that used '()' instead of
> '%%' in environment variables, and which was overly restrictive on
> importing functions whose name was not an identifier). There are still
> known parser crashers (such as CVE-2014-7186, CVE-2014-7187, and
> CVE-2014-6277) where upstream will probably issue patches soon; but
> while those issues can trigger a local crash, they cannot be exploited
> for escalation of privilege via arbitrary variable contents by this
> build. Left unpatched, a vulnerable version of bash could allow
> arbitrary code execution via specially crafted environment variables,
> and was exploitable through a number of remote services, so it is highly
> recommended that you upgrade
I found this to be a good test site, with a comprehensive list of
exploits and explicit description of what to expect in order to decide
whether an exploit is still active: http://shellshocker.net
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list