bash: specially-crafted environment variables can be used to inject shell commands
Bug #1373965 reported by
Pavel Boldin
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Committed
|
Critical
|
Pavel Boldin | ||
5.0.x |
In Progress
|
Critical
|
Pavel Boldin | ||
5.1.x |
Fix Released
|
Critical
|
Pavel Boldin | ||
6.0.x |
Fix Committed
|
Critical
|
Pavel Boldin |
Bug Description
A flaw was found in the bash functionality that evaluates specially formatted environment variables passed to it from another environment.
An attacker could use this feature to override or bypass restrictions to the environment to execute shell commands before restrictions have been applied. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
Source: https:/
Because no bash-based CGIs are used in MOS distribution it is decided to wait until this bug will be fixed in upstream distributions.
This ticket is to reflect the bug status.
tags: | added: mos-linux |
Changed in mos: | |
milestone: | none → 6.0 |
importance: | High → Medium |
status: | New → Confirmed |
assignee: | nobody → Pavel Boldin (pboldin) |
importance: | Medium → High |
tags: | added: cve |
To post a comment you must log in.
We need this fix for already installed environments as well.
Our customers already interesting for this fix.
Packages from 6.0 branch should be suitable, but we need these packages before 6.0 release.