Security Advisory: Bash shell

Posted by Russell Keith-Magee on Sept. 24, 2014

Today a security release of Bash was issued, fixing a critical vulnerability. This vulnerability allows an attacker to inject and execute arbitrary code on almost any web server.

This issue does not affect Django directly, but will affect most users of Django.

Any web server which is serving traffic over a CGI or CGI-like interface (including WSGI) should upgrade its version of Bash immediately.

This issue has been assigned CVE-2014-6271.

A complete description of the bug is also available.

New packages have been issued for the following operating systems:

UPDATE: 9:05 CST Reports are emerging that the published patch for this problem may not be sufficient; we advise that you closely monitor security update channels over the next few days in case a revised security patch is issued.

UPDATE: 25 September, 6PM CST The wording above implies that WSGI, being "CGI-like", is equally vulnerable to this bug. In its usual configuration WSGI, unlike CGI, does not set shell environment variables from the request, and so is not vulnerable (unless you are setting shell/OS environment variables based on request data yourself). However, regardless of your deployment technique, upgrading bash on your servers is highly recommended.

Back to Top