| Description: | The GNU Bourne Again shell (Bash) is a shell and command languageinterpreter compatible with the Bourne shell (sh). Bash is the defaultshell for Red Hat Enterprise Linux.It was found that the fix for CVE-2014-6271 was incomplete, and Bash stillallowed certain characters to be injected into other environments viaspecially crafted environment variables. An attacker could potentially usethis flaw to override or bypass environment restrictions to execute shellcommands. Certain services and applications allow remote unauthenticatedattackers to provide environment variables, allowing them to exploit thisissue. (CVE-2014-7169)Applications which directly create bash functions as environment variablesneed to be made aware of changes to the way names are handled by thisupdate. Note that certain services, screen sessions, and tmux sessions mayneed to be restarted, and affected interactive users may need to re-login.Installing these updated packages without restarting services will addressthe vulnerability, but functionality may be impacted until affectedservices are restarted. For more information see the Knowledgebase articleat https://access.redhat.com/articles/1200223Note: Docker users are advised to use "yum update" within their containers,and to commit the resulting changes.For additional information on CVE-2014-6271 and CVE-2014-7169, refer to theaforementioned Knowledgebase article.All bash users are advised to upgrade to these updated packages, whichcontain a backported patch to correct this issue. |