Oh, joy: despite a vigorous round of patching, Shellshock isn’t dead, and isn’t even resting:
Google security researcher Michal "lcamtuf" Zalewski has disclosed to iTnews that over the past two days he has discovered two previously unaddressed issues in the Bash function parser, one of which is as bad as the original Shellshock vulnerability.
"The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said.
"The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.
— iTnews.com.au, Further flaws render Shellshock patch ineffective. Spotted via Slashdot