24 Sep
2014
24 Sep
'14
5:54 p.m.
This is an important one to patch your systems on, if you haven't already.
The xymon CGI interface runs via shell wrappers around the actual C cgi code (to set the environment properly), which means this would be an avenue for attack.
Alternatively, using /bin/dash or some other shell besides bash (often /bin/sh on Linux distros) is another work around. (This is the default on the Terabithia RPMS for EL6.)
More info: http://seclists.org/oss-sec/2014/q3/650
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen... https://access.redhat.com/articles/1200223
Regards, -jc