Even our oldest supported (as extended security maintenance) release
Ubuntu 12.04 had bash 4.2 (https://launchpad.net/ubuntu/+source/bash) -
so whether this affects bash 3.2.57 is not relevant to Ubuntu anymore.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
This bug was not fixed Upto bash v4.3 , this bug also arises in v3.2.57.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
To manage notificatio
This bug was fixed in the package bash - 4.3-7ubuntu1.7
---
bash (4.3-7ubuntu1.7) trusty-security; urgency=medium
* SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025)
- debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c.
- CVE-2016-0634
* SE
This bug was fixed in the package bash - 4.3-14ubuntu1.2
---
bash (4.3-14ubuntu1.2) xenial-security; urgency=medium
* SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025)
- debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c.
- CVE-2016-0634
*
This bug was fixed in the package bash - 4.3-15ubuntu1.1
---
bash (4.3-15ubuntu1.1) yakkety-security; urgency=medium
* SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025)
- debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c.
- CVE-2016-0634
*
This issue was assigned CVE-2016-0634. See the oss-security notice here:
http://openwall.com/lists/oss-security/2016/09/16/8
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Com
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-0634
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
To manage notificat
@Marc
Yes , if some application has a bug , for example MintNanny :
https://bugs.launchpad.net/linuxmint/+bug/1460835
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injec
I'm not sure what the attack vector here is. /etc/hostname is only
writeable by root.
Is there any way for an attacker to control /etc/hostname?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
#! /bin/sh
# run this as root early in the boot order. No other script like hostname.sh
should run later
HOSTNAME="$(hostname|sed 's/[^A-Za-z0-9_\-\.]/x/g')";hostname "$HOSTNAME"
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https:/
script
** Attachment added: "changehostname.sh"
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4510099/+files/changehostname.sh
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bu
Workaround ...
to make my modified "hostname.sh" script run at startup, i changed the file
/etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order t
Thats better ... (the "-" was wrong in my previous posting )
HOSTNAME="${HOSTNAME//[^A-Za-z0-9_\-]/x}"
i attached a modified hostname.sh wich uses bash.
it can be startet manualy with
sudo /etc/init.d/hostname.sh start
The command should somehow run at startup ... but does not by default ?
*
Patch :
HOSTNAME=${HOSTNAME//[^A-Za-z0-9-_]/_}
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
To manage notifications about this bug go to:
german demo video
https://www.youtube.com/watch?v=qYuVzHsklS8
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
To manage notifications about th
typo ... the path is
/etc/init.d/hostname.sh
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
To manage notifications about this bug go to:
ht
I agree,
i think the hostname should be in the hands of the kernel only.
Should not be overwritten by /etc/hostname.sh.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command I
I can't imagine the effort involved in hardening all applications to
treat the hostname as untrusted input.
ISPs that sell vservers are really no different from Intel or AMD or
whoever makes your CPU -- you trust them completely and totally with
your data, your executables, and your entire operati
** Attachment removed: "Dependencies.txt"
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497264/+files/Dependencies.txt
** Attachment removed: "JournalErrors.txt"
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497265/+files/JournalErrors.
19 matches
Mail list logo
