Shellshock is a series of security vulnerabilities in bash, starting with (CVE-2014-6271) which allows arbitrary code execution from environment variables.
Shellshock is vulnerability CVE-2014-6271 in bash (other shells are not affected), reported by Stéphane Chazelas in September 2014.
Bash imports function definitions from the environment when it starts; the vulnerability is due to executing arbitrary code from specially-crafted environment variables.
Common remote execution vectors include CGI scripts, OpenSSH forced commands, and some DHCP servers. Local execution vectors include bash scripts executed with elevated privileges or with environment values obtained from untrusted sources; sudo is not affected because it filters out environment entries that look like bash exported functions.
In the wake of the initial discovery, several more vulnerabilities were discovered in the same part of the bash code.
To fix these vulnerabilities, upgrade bash to a version that fixes CVE-2014-6271 and other vulnerabilities. Apply your distribution's security updates as usual. For the rare users who install bash from source, patches have been provided for all affected versions.
