Hi all, I see there are two new CVE's for bash: CVE-2014-6277[1], CVE-2014-6278[2]. I note that the security tracker shows all versions of debian as "vulnerable" however the Notes section on 6277, 6278 shows:
"The underlying parser flaw has not yet been disclosed and might still exist in latest released bash packages. However Florian Weimer's variables-affix.patch patch applied in Debian prevents exploitation of this issue by making bash only use environment variables with specific names (BASH_FUNC_*()) to define functions from its environment." So I am confused. I think what I am reading here is that if you applied the latest patches to bash [3] you are not vulnerable to CVE-2014-6277. CVE-2014-6278. Running the test outlined on Icamtuf.blogspot.co.nz [4] seemed to confirm that. Any insights would be appreciated. Thanks! John [1]https://security-tracker.debian.org/tracker/CVE-2014-6277 [2]https://security-tracker.debian.org/tracker/CVE-2014-6278 [3] e.g. for stable i386 bash ver: 4.2+dfsg-0.1+deb7u3 [4] http://lcamtuf.blogspot.co.nz/2014/09/bash-bug-apply-unofficial-patch-now.html
