# CVE-2014-6271: remote code execution through bash

## jnicol

http://seclists.org/oss-sec/2014/q3/649

Hopefully we'll get a patch in the next day or two...

----------

## cach0rr0

No GLSA yet, but a patched build should already be in portage

https://bugs.gentoo.org/show_bug.cgi?id=523592

synced earlier, and she's there

```

 24 Sep 2014; Lars Wendler <polynomial-c@gentoo.org> +bash-3.1_p17-r1.ebuild,

  +bash-3.2_p51-r1.ebuild, +bash-4.0_p38-r1.ebuild, +bash-4.1_p11-r1.ebuild,

  +bash-4.2_p47-r1.ebuild, -bash-4.3_p24.ebuild, -bash-4.3_p24-r1.ebuild,

  +bash-4.3_p24-r2.ebuild, +files/bash-3.1-funcdef-import.patch,

  +files/bash-4.3-funcdef-import.patch:

  Security bump (bug #523592). Fixed environment handling command injection

  (CVE-2014-6271).

```

The above from the ChangeLog for app-shells/bash

----------

## jnicol

woohoo, thanks! My gentoo boxes are secured before my Fedora boxes  :Smile: 

----------

