CVE-2014-6271

Priority
High
Description
GNU Bash through 4.3 processes trailing strings after function definitions
in the values of environment variables, which allows remote attackers to
execute arbitrary code via a crafted environment, as demonstrated by
vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and
mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified
DHCP clients, and other situations in which setting the environment occurs
across a privilege boundary from Bash execution, aka "ShellShock." NOTE:
the original fix for this issue was incorrect; CVE-2014-7169 has been
assigned to cover the vulnerability that is still present after the
incorrect fix.
References
Notes
 mdeslaur> After updates were released for this issue, it was discovered
 mdeslaur> that the fix was incomplete. The new issue is being tracked
 mdeslaur> as CVE-2014-7169.
Assigned-to
mdeslaur
Package
Source: bash (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 LTS (Precise Pangolin):released (4.2-2ubuntu2.2)
Ubuntu 14.04 LTS (Trusty Tahr):released (4.3-7ubuntu1.1)
More Information

Updated: 2016-03-23 03:41:28 UTC (commit 10817)