On Thu, 25 Sep 2014, Thijs Kinkhorst wrote:
> On Thu, September 25, 2014 19:35, Denny Bortfeldt wrote:
> > Is it possible to fix also the 2nd part so that bash is really not
> > vulnerable at all? I saw that Gentoo patched the bash also twice.
>
> It's indeed known that the bash fixes are incomple
Hi Denny,
On Thu, September 25, 2014 19:35, Denny Bortfeldt wrote:
> Is it possible to fix also the 2nd part so that bash is really not
> vulnerable at all? I saw that Gentoo patched the bash also twice.
It's indeed known that the bash fixes are incomplete.
I would like to stress that the curren
Hey guys,
according to a twitter post
(https://twitter.com/taviso/status/514887394294652929) , the patch which came
out last night is still vulnerable:
this part was fixed by 4.2+dfsg-0.1+deb7u1:
de...@bortfeldt.net:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is
a test"
bash: warni
On Thu, 25 Sep 2014, Henrique de Moraes Holschuh wrote:
> BTW: sudo is a viable local attack vector for this vulnerability.
Sort of... turns out it has defenses, which are not immediately obvious to
me how to bypass.
--
"One disk to rule them all, One disk to find them. One disk to bring
the
On Thursday, 2014-09-25 at 10:13:31 -0400, Michael Stone wrote:
> On Thu, Sep 25, 2014 at 10:54:38AM -0300, Henrique de Moraes Holschuh wrote:
> In general it's a good idea to have /bin/sh point to something other
> than bash. That's the default on current debian systems, but might
> not be the ca
On Thu, Sep 25, 2014 at 10:54:38AM -0300, Henrique de Moraes Holschuh wrote:
I suggest everyone to do a spring cleanup in the login shells for system
accounts, and to deploy mitigation.
In general it's a good idea to have /bin/sh point to something other
than bash. That's the default on curren
On Thu, 25 Sep 2014, Jan Wagner wrote:
> is there still work on CVE-2014-7169, as the fix for CVE-2014-6271
> seems incomplete?
Work on that is ongoing, AFAIK.
AFAIK, exploits for CVE-2014-7169 are already public (one certainly worked
here, with the CVE-2014-6271 patch applied), and there are rep
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi there,
Am 24.09.2014 um 16:06 schrieb Florian Weimer:
> Stephane Chazelas discovered a vulnerability in bash, the GNU
> Bourne-Again Shell, related to how environment variables are
> processed. In many common configurations, this vulnerability
Hi Jens,
On Thu, Sep 25, 2014 at 10:05:28AM +0200, Rabe, Jens wrote:
> is there a chance to get the bash-update for squeeze (6.0)?
Note that regular security support for squeeze has endet. You will
need to use squeeze-lts for recieving still updates, more details are
in [1].
[1] https://wiki.de
On Thu, Sep 25, 2014 at 4:05 PM, Jens Rabe wrote:
> is there a chance to get the bash-update for squeeze (6.0)?
Debian squeeze is no longer supported by the Debian security team.
However, the Debian LTS team is supporting squeeze and has released an
update for bash in squeeze-lts.
https://lists.
Hi Florian Weimer,
is there a chance to get the bash-update for squeeze (6.0)?
Bye,
Jens
-Ursprüngliche Nachricht-
Von: Florian WeimerÂ
Gesendet: Mit 24 September 2014 16:07
An: debian-security-annou...@lists.debian.org
Betreff: [SECURITY] [DSA 3032-1] bash security update
-
11 matches
Mail list logo
