Hi,

On Thu, Oct 2, 2014 at 8:47 AM, Andrew McGlashan <andrew.mcglashan@affinityvision.com.au> wrote:
On 2/10/2014 8:42 AM, Sam Varghese wrote:
> Fixes for older versions of OS X are available here:
>
> http://tenfourfox.blogspot.com.au/2014/09/bashing-bash-one-more-time-updated.html

Partial fixes..... IT IS NOT FIXED.  This is so disappointing, how bad
is Apple, almost as pathetic as other major vendors such as Cisco and
Juniper doing "emergency" patches at long last.

Frankly, I think all vendors have been caught out by this, especially over the latest 2 CVEs (6277 and 6278):

- Red Hats  response on 6278 is a little ambiguous IMHO:

From:
https://access.redhat.com/security/cve/CVE-2014-6278 

“Red Hat believes that changes introduced via updates RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312 that prevent Bash from defining new functions based on arbitrary environment variables sufficiently mitigate this issue. This statement will be updated once more details are available.”

- NetApp and VMware are both exposed in small ways on some products but fixes are not available as yet.

- Cisco have some work to do as well:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

TBH I am surprised at the pervasive use of GNU bash.

BW