Patching bash should fix the problem, if only everyone patched daily..
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
Not really, in most distros, and for systems governed by people that know what they're doing, there will be no actual vulnerability at all. The field of opportunity for the exploit is pretty extremely narrow, especially on systems with extended security setups, which all wan-attached servers should have anyway.
It was also patched immediately, as usual in linux. By the time you read about it on the web, it's already been patched lol.
By the way, the article you quote is more sensationalist than precise, it's pretty bad, imo not written by people that know what they're talking about.
Will be standard in even Debian now, fixes are faster than bloggers and reporters in Linux, This ain't Windows!
In terms of security patches, Debian is often the fastest. The Debian security mailing list is the industry standard, it's basically the "status questionis" of IT security in the world and - until further notice - even on Mars or in deep space for that matter.
Interesting.
After looking at the bash manual I don't see anything related to the importing [name=[value]] to child processes in the environment.
On closer inspection of the code;
/* If exported function, define it now. Don't import functions from the environment in privileged mode.
*/ if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
{
Are we sure this isn't a NSA backdoor? lol
It's easy to check whether or not your system is vulnerable.
Just open terminal and enter:
env x='() { :;}; echo OOPS' bash -c /bin/trueIf it returns "OOPS", the you're vulnerable (that means that you updates aren't well configured or that your distro sucks basically), if it returns:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
then everything is perfectly fine until someone discovers the next vulnerability lol.
This got fixed pretty fast.
Kind of depends on who finds the problem. A criminal or a hacker. One talks about it then other uses it.