Re: Critical update for bash released today.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 2014-09-26, Cliff Pratt <enkiduonthenet@xxxxxxxxx> wrote:
> Take the case of an Apache Bash CGI. This will have been loaded when Apache
> started, so Apache will have to be restarted to get the new one.

Based on my (admittedly limited) testing I do not believe this is the
case.  Apache exec()'s the interpreter on each request; it doesn't save
the interpreter into its memory space, so each subsequent call should
re-run the interpreter.  That's one of the big reasons mod_perl and
their ilk are popular: they do put the interpreter into httpd's memory,
so the interpreter doesn't have to be called on each invocation.

I don't currently have a vulnerable interpreter available on a web
server, but on the servers where I have an updated bash, the
"vulnerable" message that's produced by the example code doesn't show
up in a bash CGI on a web server I haven't restarted.

# example code
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

--keith

-- 
kkeller@xxxxxxxxxxxxxxxxxxxxxxxxxx


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux