Spencer Gaw spencerg at frii.net
Wed Sep 24 19:38:09 UTC 2014

Keeping silent after the embargo is over isn't doing anyone any favors. 
I think Florian said it best in his most recent message:

"In this particular case, I think we had to publish technical details so 
that those who cannot patch immediately can at least try to mitigate 
this vulnerability using filters on devices in front of web servers, or 
tools like mod_security. And without the technical details, I doubt this 
vulnerability would have received the attention it deserves until 
someone figures things out. We could easily have obfuscated the patch to 
delay this, but what's the point?"

For anyone that would like to see if a system is vulnerable:

|env x='() { :;}; echo vulnerable' bash -c "echo this is a test"|

If you receive the echo output, your version of bash is affected.



On 9/24/2014 1:10 PM, Randy Bush wrote:
>> See: http://seclists.org/oss-sec/2014/q3/650
> sigh.  i am well aware of it but saw no benefit for further blabbing a
> vuln
> randy

More information about the NANOG mailing list