CVE-2014-6271

Ciao,

immagino i sysadmin in lista già lo sappiano, comunque segnalo lo
stesso a tutti:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

In breve: le shell bash (tutte le versioni) sono vulnerabili ad
attacchi anche da remoto basati su codice arbitrario. Preparatevi ad
un aggiornamento di bash non appena saranno rilasciate le patch ed i
pacchetti nuovi.

HTH,
Stefano

e notare che il fix pubblico per quel CVE non e' completo. Vedi:
CVE-2014-7169

Qui sono spiegati tutti i dettagli
http://securityaffairs.co/wordpress/28615/hacking/bash-bug-critical-risk.html

Da tenere presente quanto segue:

The Bug Bash flaw is particularly dangerous for Internet-of-things
devices like smart meters, routers, web cameras and any other device
that runs software which allows bash scripts. Typically, such software
are not easily patchable and are more likely to expose the critical flaw
in the Internet.

As said by Graham “Unlike Heartbleed, which only affected a specific
version of OpenSSL, this bash bug has been around for a long, long time.
That means there are lots of old devices on the network vulnerable to
this bug. The number of systems needing to be patched, but which won’t
be, is much larger than Heartbleed.”

Saluti,
Gianpaolo