Hacker News new | past | comments | ask | show | jobs | submit login

The vulnerability only affects bash when it is parsing environment variables, when it is just starting. So if a process is already running, it's not vulnerable and you don't have to restart it. You should definitely apply the patch from Wednesday, but be aware there is a related vulnerability that has no patch yet.

Add the configuration from this page https://access.redhat.com/solutions/1207723 to your Apache or nginx config to deny malicious HTTP requests.

This isn't always true. Frequently sub-shells are started without people really knowing, like with backticks or parenthesis.

But the sub-shell that gets started will use the new binary, which will be safe.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact