Bash vulnerability
CVE-2014-6271 & CVE-2014-7169https://access.redhat.com/node/1200223
https://access.redhat.com/security/cve/CVE-2014-6271
https://access.redhat.com/security/cve/CVE-2014-7169
A vulvnerability in bash has been publically disclosed in the last 24 hours. All M.D.G. IT servers should now have a patched version of bash installed, which addresses CVE-2014-6271, however it has been discovered that this patch is incomplete. The severity of the second CVE-2014-7169, which has been created to track the patching of the incomplete fix, has a lower Base Score than the original vulnerability; while it is still under investigation, this CVE has a 'medium' risk rating, as opposed to the high rating of the original.
We are waiting for an additional patch to be released by Red Hat, and we will force a server update immediately this becomes available.
Thursday 25 September
Update: All M.D.G. IT servers have also had the LD_PRELOAD mitigation applied to network facing services.
Update: Updated bash packages that address CVE-2014-7169 are now available, these are being progressively deployed to all servers.