Apple has released an update to address the “ShellShock” Bash vulnerability

Details below.

——————————
APPLE-SA-2014-09-29-1 OS X bash Update 1.0

OS X bash Update 1.0 is now available and addresses the following:

Bash

Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5,
OS X Mavericks v10.9.5

Impact: In certain configurations, a remote attacker may be able to execute arbitrary
shell commands

Description: An issue existed in Bash's parsing of environment variables. This issue was
addressed through improved environment variable parsing by better detecting the end of
the function statement.

This update also incorporated the suggested CVE-2014-7169 change, which resets the
parser state.

In addition, this update added a new namespace for exported functions by creating a
function decorator to prevent unintended header passthrough to Bash. The names of all
environment variables that introduce function definitions are required to have a
prefix "__BASH_FUNC<" and suffix "&gt " to prevent unintended function passing via
HTTP headers.

CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy


OS X bash Update 1.0 may be obtained from the following webpages:

http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X Mavericks

To check that bash has been updated:

* Open Terminal
* Execute this command:
bash --version
* The version after applying this update will be:
OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

Information will also be posted to the Apple Security Updates
web site:http://support.apple.com/kb/HT1222