Diff for "BashFAQ/111"

What is the Shellshock vulnerability in Bash?

As of this writing (September 27th, 2014), the situation with Shellshock is changing so rapidly that you're probably better off using your preferred search engine instead of this FAQ. For example, you could search a news site for recent items which contain the word "Shellshock".

A quick summary is this:

• The most recent updates should now fix all known Shellshock-related vulnerabilities.
• Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway.
• Other potential problems were identified during the investigation, but are considered separate from the Shellshock bug.

After things stabilize a bit, this FAQ page should be updated with a better summary. For information about specific vulnerabilities related to Shellshock, you may find better results by searching for terms such as "CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", or "CVE-2014-7187".

In the meantime, here are a few links that should help you get started:

• ZDNet: the latest patches do fix all known Shellshock issues

• Search Google News for 'Shellshock bash', limited to the last 24 hours

• Wikipedia article on Shellshock

• "shellshocker.net", and online tool for testing if a system is vulnerable

• Summary article from RedHat on how to determine if a system is vulnerable

• Critical Watch page on Shellshock

• Official US-CERT page on CVE-2014-6271, the first vulnerability in the series to be discovered

• NIST page on CVE-2014-6271

• RedHat's "knowledge base" article

• 4-minute introductory video for non-programmers

• Conversation thread on Y-Combinator

• Conversation thread on Reddit

• Patch instructions for OSX

• "Everything you need to know about the Shellshock Bash bug", by Troy Hunt

• Early report by Steven J. Vaughan-Nichols of ZDNet

• Search Google News for 'CVE-2014-6271'

• Search Google News for 'CVE-2014-7169'

• Search Google News for 'CVE-2014-7186'

• Search Google News for 'CVE-2014-7187'

CategoryShell