-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 09/24/2014 at 04:52 PM, Steve Litt wrote:
> Hi everyone, > > Bash Code Injection Vulnerability via Specially Crafted > Environment Variables (CVE-2014-6271) > > https://access.redhat.com/articles/1200223 > > My current Debian setup is vulnerable, as shown below: > > ============================================== slitt@mydesq2:~$ env > x='() { :;}; \ echo vulnerable' bash -c "echo this is a test" > vulnerable this is a test > slitt@mydesq2:~$ bash --version GNU bash, version 4.2.37(1)-release > (x86_64-pc-linux-gnu) > ============================================== > > Does anyone know if there's an fix for Debian's bash, and how to > install it? As already noted, there's been a debian-security-announce alert about this, for a fix in wheezy. For testing, I don't know how comprehensive it is, but I ran a variant of that same test on my system (with bash 4.3.9) and got a successful pass - no vulnerability indicated. Online reports have indicated that bash 4.3.x is affected, and I haven't updated bash since before these reports hit, so I don't know what the true shape of the picture is. The data point seemed potentially worth mentioning, however. A quick test also indicates that, as mostly expected, dash (the Debian Almquist shell, which provides /bin/sh by default in current Debian) is apparently not affected. - -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJUJDHXAAoJEASpNY00KDJrUe4P/R1Ig/NIu8bCLK1VShZw1EFO /uEOdF493V59keDZ3pFtnkXYsKhDQN8wEAqiVOEn19b90Q/qBGztiXXhPONSceeT 2+mYoyx7GuMkVHnTFFU8l5IPJK3sHPyQI03QTx93m6QRA0+t5ebY5e2BSIXTwM0g DZl6kZDMoonDbrbl92H6N0BjkJ9AS69W2Gx4hG/+cn7C0tK7JRAjlBvv53yACqTv hI5ZGtDcJbPGXl7RkXRxxFfry5lF4lbcRZ0pqocYqVuR/caZdrLeEKS66+dnWozh zcf+dEIXoJA1oVtCg0b2qnO+G8i2q6sFq5CF73P7UOg5qLYDwIzG8eUXMm6pe1fg oaLyJoDx1SojOmmLwGpCiRayM/bUPDmctigp0RKiF6iwIg5aIMHnVNdKGUvSVxFt Fa+znubtTAxXXeyQa64pCBwbTIefr2LxRh+EipA9tNF4PTudoKRiDemjFLZB4xoV sOLF78PZzXPso1ZKAlPFOWAPgFA14NKkIzSPESNmtqWFdUAhMeU1Sr/Z8opWDMTV 0ys8w3lOstfTGlFCQKdwqQ5lTeBvEjlsY2ZfpmmufrXfgIF26XI+hvLZ9IlSZOhr IjQl365u/GnxxbchxrtjlcsQNjmwpH+8i88Sagd0syd2GehcJF0/XYlT9akfCRwS TKYP3Nkp/zZhdA54LnXc =fq05 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/542431d8.4050...@fastmail.fm
