GNU Bash versions 4.3 and below remote command injection exploit that leverages the REFERER header on vulnerable CGI scripts. Launches a connect-back shell. Written in Perl.

Typo3 JobControl version 2.14.0 suffers from cross site scripting and remote SQL injection vulnerabilities. Typo3 no longer provides updates for this extension and it is considered unsafe to use.

Gnu Bash versions 4.3 and below remote command injection exploit that leverages the User-Agent header via vulnerable CGI scripts. Written in Python.

SmarterTools Smarter Track versions 6 through 10 suffer from an information disclosure vulnerability.

GS Foto Uebertraege version 3.0 suffers from a local file inclusion vulnerabilities.

Red Hat Security Advisory 2014-1307-01 – Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. A flaw was found in the way NSS parsed ASN.1 input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS.

Ubuntu Security Notice 2363-2 – USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the patch for CVE-2014-7169 didn’t get properly applied in the Ubuntu 14.04 LTS package. This update fixes the problem. Tavis Ormandy discovered that the security fix for Bash included in USN-2362-1 was incomplete. An attacker could use this issue to bypass certain environment restrictions. Various other issues were also addressed.

Mandriva Linux Security Advisory 2014-190 – It was found that the fix for was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. Additionally bash has been updated from patch level 37 to 48 using the upstream patches at ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/ which resolves various bugs.

Ubuntu Security Notice 2363-1 – Tavis Ormandy discovered that the security fix for Bash included in USN-2362-1 was incomplete. An attacker could use this issue to bypass certain environment restrictions.

Red Hat Security Advisory 2014-1306-01 – The GNU Bourne Again shell is a shell and command language interpreter compatible with the Bourne shell. Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.