On 2/10/2014 6:15 PM, Brent Wallis wrote:
Frankly, I think all vendors have been caught out by this, especially over the latest 2 CVEs (6277 and 6278):
- Red Hats response on 6278 is a little ambiguous IMHO:
From: https://access.redhat.com/security/cve/CVE-2014-6278
“Red Hat believes that changes introduced via updates RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312 that prevent Bash from defining new functions based on arbitrary environment variables sufficiently mitigate this issue. This statement will be updated once more details are available.”
I keep checking regularly [much more than normal at this time] for updates, I'm not convinced that we are done yet, even on Linux (Debian in my case).
- NetApp and VMware are both exposed in small ways on some products but fixes are not available as yet.
Not good.
- Cisco have some work to do as well: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-s...
They seem to have a great many products to deal with, but again, they are a huge company, they should have the resources to deal with this in a much more timely manner.
TBH I am surprised at the pervasive use of GNU bash.
Yes. A.