On 09/26/2014 06:58 PM, Nathan McGarvey wrote: > Pardon my catching up. This (and all the other related patches for > other past versions) is to remedy CVE-2014-7169 and CVE-2014-6271 was > remedied by the previous Patch 25 (and related set for all other > versions.) Is this correct? Or are there still outstanding issues?
If _all_ you apply is patch 25 and 26, then you are STILL vulnerable to ShellShock (we know of at least CVE-2014-7186 and CVE-2014-7187 that are also ShellShock attack points, and there are probably more). For a more comprehensive read, see: https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00238.html -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
