The shellshock vulnerability affects the bash package. An update of bash is required to resolve this. According to the bash update channels, version 4.1.10-4 and below are NOT patched. Version 4.1.12-5 and above are:
A new release of bash, 4.1.12-5, has been uploaded and will soon reach a mirror near you; leaving the previous version of 4.1.10-4 on 32-bit, and 4.1.11-2 on 64-bit.
NEWS:
=====
This is a minor rebuild which picks up an upstream patch to fix CVE-2014-6271. Left unpatched, a vulnerable version of bash could allow arbitrary code execution via specially crafted environment variables, and was exploitable through a number of remote services, so it is highly recommended that you upgrade.
To check the version of your bash in cygwin use the following command:
echo $BASH_VERSION
You'll get and output similar to the following:
4.1.17(9)-release
To update the bash shell in cygwin:
- Download the installer and run as you would normally do.
In the "Select Packages" dialog, select base --> bash (for the bleeding edge version select
Exp
):Proceed through installation
- Launch cygwin and use the same command above to make sure that the version was updated.