-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi all,
Today a security release of Bash was issued, fixing a critical vulnerability. This vulnerability allows an attacker to inject and execute arbitrary code on many web servers and other applications.
This issue does not affect Twisted directly, but will affect many users of Twisted.
Any web server which is serving traffic over a CGI or CGI-like interface (including WSGI) should upgrade its version of Bash immediately.
This issue has been assigned CVE-2014-6271.
A complete description of the bug is also available: http://seclists.org/oss- sec/2014/q3/650
New packages have been issued for the following operating systems:
* Debian: http://www.debian.org/security/2014/dsa-3032 * Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/ * Red Hat Enterprise Linux: https://rhn.redhat.com/errata/RHSA-2014-1293.html
Please be aware that there are reports that the current patches do not completely solve the issue, it is likely that users will need to perform updates a second time.
Sincerely, Alex Gaynor
On Sep 24, 2014, at 7:26 PM, Alex Gaynor alex.gaynor@gmail.com wrote:
Please be aware that there are reports that the current patches do not completely solve the issue, it is likely that users will need to perform updates a second time.
These reports are being tracked as CVE-2014-7169.
More information here:
http://seclists.org/oss-sec/2014/q3/685
Good night and good luck,
-glyph
Any web server which is serving traffic over a CGI or CGI-like interface (including WSGI) should upgrade its version of Bash immediately.
I feel ignorant, but I'm confused about how WSGI is affected (and have failed to exploit my WSGI app). AFAICT from reading the code, Twisted's WSGIResource doesn't invoke a shell. I see that it has an `environ` attribute that gets filled with user-provided information, but I don't see how that makes it into a shell's environment.
We'll patch bash anyway.
Thanks,
Matt
On Sep 25, 2014, at 8:09 AM, Matt Haggard haggardii@gmail.com wrote:
Any web server which is serving traffic over a CGI or CGI-like interface (including WSGI) should upgrade its version of Bash immediately.
I feel ignorant, but I'm confused about how WSGI is affected (and have failed to exploit my WSGI app). AFAICT from reading the code, Twisted's WSGIResource doesn't invoke a shell. I see that it has an `environ` attribute that gets filled with user-provided information, but I don't see how that makes it into a shell's environment.
As Alex's post said, this vulnerability does not affect Twisted directly.
The point is that most people deploying web services are doing so in a UNIX environment, and in so doing they are probably invoking scripts of various kinds, or executables which may have been replaced with wrapper shell-scripts. It's hard to audit for environment variables containing attacker-controlled data, and this is the sort of thing we've all been trained to expect is safe, if they're variables in our own "namespace", so it's possible that any number of 3rd-party tools you are using with Twisted are vulnerable in surprising ways.
So everybody should just upgrade :).
-glyph
-
Alex Gaynor -
Glyph -
Glyph Lefkowitz
-
Matt Haggard