Keeping silent after the embargo is over isn't doing anyone any favors. I think Florian said it best in his most recent message: "In this particular case, I think we had to publish technical details so that those who cannot patch immediately can at least try to mitigate this vulnerability using filters on devices in front of web servers, or tools like mod_security. And without the technical details, I doubt this vulnerability would have received the attention it deserves until someone figures things out. We could easily have obfuscated the patch to delay this, but what's the point?" For anyone that would like to see if a system is vulnerable: |env x='() { :;}; echo vulnerable' bash -c "echo this is a test"| If you receive the echo output, your version of bash is affected. Regards, SG On 9/24/2014 1:10 PM, Randy Bush wrote:
See: http://seclists.org/oss-sec/2014/q3/650 sigh. i am well aware of it but saw no benefit for further blabbing a vuln
randy