More BASH bugs found

As the shellshock vulnerability in one that just keeps on giving, we were have been working to protecting our customers with something more durable then a band aid patches thus far provided by RedHat.

The problem with shellshock is that bash allows function imports via environmental variables. It tries to parse them, and even execute them. As bash parser is complex and not bullet proof — more and more vulnerabilities are being found. Some of them being reported as dangerous as the first one.

After careful considerations we decided to go in the way OpenBSD & FreeBSD Unix already took, and disable function imports via environmental variables by default.
It might break some scripts that rely on these features, but our hope is that none of those scripts run in a typical shared hosting environment.

If you still need to use importing of functions using environment variables, you can run bash with –import-functions flag:
$ bash –import-functions

A quick search shows that none of our customers appear to be using bash on their websites, however, you can never be too careful.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.