CGI::Application and recent bash security hole

Dave Cross dave at
Fri Sep 26 16:11:10 BST 2014

Quoting gvim <gvimrc at>:

>> There's a second vulnerability that escapes the first bug patch.
>>  env X="() { (a)=>\\" bash -c '/dev/stdout date'
>> If this prints the date, you still have a hole where bash can write content
>> to arbitrary files. ( And this trick somehow makes it write the date to
>> /dev/stdout.  )
> Kreist, I'm up **it Creek after all :(

Your distro almost certainly has a second patch already available.  
Just update your installed package.

This article seems pretty good:


More information about the mailing list