-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 09/25/2014 at 11:16 AM, The Wanderer wrote:
> On 09/24/2014 at 04:52 PM, Steve Litt wrote: > >> Hi everyone, > >> Bash Code Injection Vulnerability via Specially Crafted >> Environment Variables (CVE-2014-6271) > >> https://access.redhat.com/articles/1200223 >> Does anyone know if there's an fix for Debian's bash, and how to >> install it? > > As already noted, there's been a debian-security-announce alert > about this, for a fix in wheezy. > > For testing, I don't know how comprehensive it is, but I ran a > variant of that same test on my system (with bash 4.3.9) and got a > successful pass - no vulnerability indicated. For the record: this was a false negative. I somehow failed to notice that the "variant" in question invoked /bin/sh instead of bash... > A quick test also indicates that, as mostly expected, dash (the > Debian Almquist shell, which provides /bin/sh by default in > current Debian) is apparently not affected. ...which, because of this, of course did not indicate vulnerability. The same test with bash instead of /bin/sh shows 4.3-9 as vulnerable, as expected. - -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJUJVg0AAoJEASpNY00KDJrrmEP/inEcELZMzELPmv9qARZC3Al 25SNW2TrCGvlCs0ixrFkCB33qz6Tgx2LBwjVtt+cyY5fAOG0mPM5EVf7MmBxQjT7 URhEiGpB1j/tcX94rMii8rN8vuzKq7rO67MwuprKMuOtgTCiknMC8nuOGxF+FexB HMMdY0skF2oqLeQn4ynwsBLnTlf5lCsjtSQCAiZy3HRue4t5KtJIpFJBnwSXmXIs Pxnr3ZTWuaYIYnGa2DTRMgaKVmxIpkoosaYHg5nCyhKL743d7yGvsiTZzOF2VzEI y+sSRJIMI7FihRAzS5qpqvVSYJxLHWPhyas5miJ7PgU+YS+EveF+cuSsMubm05Mh jQbVEO57K1eoEFTib7o0byVtuYKlKddhp3IORRAS+OXNaImHwxr3CK1SNNwFCjRP 1InfzAoTAiBjZHh9im4Hhc3U8FOeEU9e2x06zc/UCpIAHtuLxquz2hx1bED1qmC+ 4AnMqsc4EZzmEQBgFZFUM9xdPYoc0IYG0T8xdUCBHLaC9DTgAKna86GQjKrxH32W Z+UqSNK0MzTKyFLj8Ktsf8SubJ4+hj6619EgASaKRLZReJxsgERWs3Ep6tBNdX/l Ose6CyX6CCnx1NMonB/RUQk7o+c8nRayCc0FzFqgUkruBJTyIpDPrpLd2Lqbaggi Zq8B4qUwM0g65y15OX0h =0aJi -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54255834.5040...@fastmail.fm
