On 10/16/2014 03:02 PM, Dave Kalaluhi wrote: > We have been compiling some of the older versions of bash to fix > vulnerabilities, and for the most, has been working. > > However, when we patch the 013 patch for CVE-2014-7187, and run the > nested loop, it's still showing as vulnerable.
Exactly HOW are you testing? > > Has anyone else had a similiar experience? Reading the archives, I see other people using an invalid test for CVE-2014-7187: https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00137.html https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00140.html Remember, a parser bug is not necessarily an exploitable vulnerability. It is sufficient to know that bash cannot be exploited once you apply patch 10 (all 6 CVEs were neutralized by that one patch, as well as any other as-yet-unreported parser bugs). -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
