The first patches for Shellshock didn’t offer complete protection. The latest revisions of this patch for the popular Mac OS X, Linux, and Unix bash shell security problem were released on Friday, offering greater defenses against hackers.
The problem with the first patch, as Red Hat explained in its Shellshock FAQ, was that it only took care of the original bash flaw CVE-2014-6271. This, the true Shellshock bug, is the worst bash security hole. There were also others.
Red Hat said: “Shortly after that issue went public a researcher found a similar flaw that wasn’t blocked by the first fix and this was assigned CVE-2014-7169.” This bug is also a security problem, but it’s not as bad as the other flaw.
Later, Red Hat Product Security researcher Florian Weimer found additional problems and these were designated CVE-2014-7186 and CVE-2014-7187. Fortunately, these bugs are less serious and the latest patch takes care of these as well. As Red Hat’s Huzaifa Sidhpurwala told me: “The latest version of bash fixes all the CVE issues.”
So, what you want to do now, if you haven’t already, is check to see if you’re running a vulnerable version of bash. Continue reading Shellshock: Better ‘bash’ patches now available