GNU Bash through 4.3 bash43-026 does not properly parse function
definitions in the values of environment variables, which allows remote
attackers to execute arbitrary commands via a crafted environment, as
demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd,
the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts
executed by unspecified DHCP clients, and other situations in which setting
the environment occurs across a privilege boundary from Bash execution.
NOTE: this vulnerability exists because of an incomplete fix for
CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
 mdeslaur> this issue is mitigated by Florian Weimer's prefix-suffix patch
 mdeslaur> that is included in
 mdeslaur> since bash parser vulnerabilities are now limited to specially
 mdeslaur> named environment variables, and as such are no longer directly
 mdeslaur> exposed to CGI scripts, SSH, etc.
 mdeslaur> Once an upstream patch is made available, we will release bash
 mdeslaur> updates, but we don't consider this to be a critical issue
 mdeslaur> requiring immediate attention.
Source: bash (LP Ubuntu Debian)
Ubuntu 14.04 LTS (Trusty Tahr):released (4.3-7ubuntu1.5)
More Information

Updated: 2019-03-19 12:15:33 UTC (commit 15472795df7e9de45b82f2d36b8b419b939f97b2)