Keeping silent after the embargo is over isn't doing anyone any favors.
I think Florian said it best in his most recent message:
"In this particular case, I think we had to publish technical details so
that those who cannot patch immediately can at least try to mitigate
this vulnerability using filters on devices in front of web servers, or
tools like mod_security. And without the technical details, I doubt this
vulnerability would have received the attention it deserves until
someone figures things out. We could easily have obfuscated the patch to
delay this, but what's the point?"
For anyone that would like to see if a system is vulnerable:
|env x='() { :;}; echo vulnerable' bash -c "echo this is a test"|
If you receive the echo output, your version of bash is affected.
Regards,
SG
On 9/24/2014 1:10 PM, Randy Bush wrote:
See: http://seclists.org/oss-sec/2014/q3/650
sigh. i am well aware of it but saw no benefit for further blabbing a
vuln
randy