Michal Zalewski discovered that Bash incorrectly handled parsing certain function definitions. If an attacker were able to create an environment variable containing a function definition with a very specific name, these issues could possibly be used to bypass certain environment restrictions and execute arbitrary code. (CVE-2014-6277, CVE-2014-6278)
Please note that the previous Bash security update, USN-2364-1, includes a hardening measure that prevents these issues from being used in a Shellshock attack.
{ "availability": "No subscription required", "binaries": [ { "binary_version": "4.3-7ubuntu1.5", "binary_name": "bash" }, { "binary_version": "4.3-7ubuntu1.5", "binary_name": "bash-builtins" }, { "binary_version": "4.3-7ubuntu1.5", "binary_name": "bash-doc" }, { "binary_version": "4.3-7ubuntu1.5", "binary_name": "bash-static" } ] }