|
1. °³¿ä
¾È³çÇϼ¼¿ä. °íµµÈ£½ºÆÃÀÔ´Ï´Ù.
¸®´ª½º °è¿ µîÀÇ ¿î¿µÃ¼Á¦¿¡¼ »ç¿ëÁßÀÎ GNU Bash¿¡¼ ¹ß»ýÇÏ´Â ÀÓÀÇ Äڵ带 ½ÇÇàÇÏ´Â Ãë¾àÁ¡
(CVE-2014-6271,
CVE-2014-7169)ÀÌ ¹ß°ßµÇ¾î º¸¾È ¾÷µ¥ÀÌÆ®¸¦ ¹ßÇ¥ÇÏ¿´½À´Ï´Ù.
2. Ãë¾àÁ¡ Á¤º¸
CVE-Number: CVE-2014-6271,
CVE-2014-7169
¿µÇâÀ» ¹Þ´Â ¼ÒÇÁÆ®¿þ¾î
: GNU Bash(Bourn Again Shell)
¿µÇâÀ» ¹Þ´Â ½Ã½ºÅÛ :
GNU Bash¸¦ »ç¿ëÇÏ´Â Linux°è¿ OS
3.Ãë¾àÁ¡ È®ÀÎ ¹æ¹ý
|
|
CVE-2014-6271
|
CVE-2014-7169
| |
È®ÀÎ Bash Shell ÀÔ·Â
|
#env x='() { :;};
echo vulnerable' bash -c "echo this is a test"
|
cd /tmp; rm -f
/tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat
/tmp/echo
| |
Ãë¾à ÇÒ °æ¿ì ¸®ÅÏ ¸Þ½ÃÁö
|
vulerable
this is a test
|
bash: x: line 1:
syntax error near unexpected token `='
bash: x: line 1:
`'
bash: error
importing function definition for `x'
Fri Sep 26
11:49:58 GMT 2014
| |
¾÷µ¥ÀÌÆ® ÀÌÈÄ ¸®ÅÏ ¸Þ¼¼Áö
|
This is a test
|
date
cat: /tmp/echo: No such file or directory
|
4. ÇØ°á¹æ¹ý
update ´Â yumÀ¸·Î update
ÁøÇà
#yum update bash –y
ÇØ´ç³»¿ë¿¡ ´ëÇؼ ±Ã±ÝÇÑ ³»¿ëÀÌ ÀÖÀ¸½Ã¸é
¾Æ·¡ Âü°í»çÀÌÆ® ¸µÅ©¸¦ Âü°í ÇϽðí
¹®ÀÇ ¹× ¿äû»çÇ×ÀÌ ÀÖÀ¸½Ã¸é 1´ë1 ¹®ÀÇ·Î Á¢¼Ó °èÁ¤Á¤º¸¿Í ÇÔ²² ¿äûÇØÁֽøé
½Å¼ÓÇÏ°Ô Ã³¸®ÇØ µå¸®°Ú½À´Ï´Ù.
Ç×»ó ³ë·ÂÇÏ´Â °íµµÈ£½ºÆÃÀÌ µÇ°Ú½À´Ï´Ù. °¨»çÇÕ´Ï´Ù.
[Âü°í»çÀÌÆ®]
°ü·Ã±â»ç :
http://www.ddaily.co.kr/news/article.html?no=122715
CentOS : http://lists.centos.org/pipermail/centos/2014-September/146099.html
Ubuntu : http://www.ubuntu.com/usn/usn-2362-1/
Redhat :
https://access.redhat.com/solutions/1207723
Debian :
https://www.debian.org/security/2014/dsa-3032
|
