I'm writing in the siduction forum and - surprise - i run siduction on my machine. Kernel: 3.17-0.towo.2-siduction-amd64 x86_64 (64 bit), Desktop: KDE 4.14.1 Distro: aptosid 2011-01 Γῆρας - kde-full - (201102052200)
Subject was: shellshock still unfixed *except* in Debian unstable
For me this sounds like a very good information. We do run Debian Sid, don't we? And I guess most of us frequently do dist-upgrades. I do. My bash version is - surprise - 4.3-10.
$ apt-cache policy bash
bash:
Installiert: 4.3-10
Installationskandidat: 4.3-10
Versionstabelle:
*** 4.3-10 0
500 http://ftp2.de.debian.org/debian/ unstable/main amd64 Packages
500 http://ftp2.de.debian.org/debian/ testing/main amd64 Packages
100 /var/lib/dpkg/status
4.2+dfsg-0.1 0
500 http://ftp2.de.debian.org/debian/ stable/main amd64 Packages
I did some tests:
env x='() { :;}; echo shellshockverwundbar' bash -c ""
(nothing...)
env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: Datei oder Verzeichnis nicht gefunden
So why should I write a bug report?
/edit
I did my last upgrade yesterday (?). After apt-get update (a minute ago) I noticed that there is indeed a newer version of bash (4.3-11). But I guess my system wasn't vulnerable before updating as I did the tests I mentioned above. After updating bash I did it again. Same results.