I searched on the forums to make sure no one had posted this beforehand, as this is a rather alarming story making the rounds of news circuits.
Source: New York Times Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant
From the US National Institute of Standards and Technology's Vulnerability Database
(Emphasis added):
Source: New York Times Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant
From the US National Institute of Standards and Technology's Vulnerability Database
(Emphasis added):
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.