CVE-2014-7186

Name of the Vulnerable Software and Affected Versions bash versions prior to 4.3 bash-3.2 bash-3.0 bash-4.1.2 bash-4.2.45 bash-debuginfo bash-debuginfo-3.2 bash-debuginfo-4.1.2 bash-debuginfo-4.2.45 bash-debugsource bash-devel bash-doc bash-doc-4.1.2 bash-doc-4.2.45 bash-loadables bash-loadables-debuginfo bash-lang

Description The issue is related to the way in which shell functions are passed through environment variables in GNU Bash. This may allow an attacker to inject commands into a Bash shell, depending on how the shell is invoked. The Bash shell may be invoked by a number of processes including, but not limited to, telnet, SSH, DHCP, and scripts hosted on web servers. The vulnerability can be exploited remotely and may lead to a denial of service or potentially allow the execution of arbitrary code.

Recommendations For bash versions prior to 4.3, update to version 4.3 or later. For bash-3.2, update to a version later than 3.2. For bash-3.0, update to a version later than 3.0. For bash-4.1.2, update to a version later than 4.1.2. For bash-4.2.45, update to a version later than 4.2.45. For bash-debuginfo, bash-debuginfo-3.2, bash-debuginfo-4.1.2, bash-debuginfo-4.2.45, update to a version that includes the fix for the vulnerability. For bash-debugsource, bash-devel, bash-doc, bash-doc-4.1.2, bash-doc-4.2.45, bash-loadables, bash-loadables-debuginfo, bash-lang, update to a version that includes the fix for the vulnerability. As a temporary workaround, consider restricting access to the Bash shell and limiting the invocation of shell functions through environment variables.