Siduction Forum

Interesting:

ZitatI just installed, for work (http://www.tarent.de/), Hanno Böck's bashcheck (https://github.com/hannob/bashcheck) utility on our monitoring system, and watched all¹ systems go blue.
① All but two. One is not executing remote scripts from the monitoring for security reasons, the other is my desktop which runs Debian "sid" (unstable).
This means that all those distributions still have unfixed #shellshock bugs.

http://evolvisforge.blog.tarent.de/archives/93 (http://evolvisforge.blog.tarent.de/archives/93)

Thanks. Your posting would be much more helpfull if you posted the bash version of your still possibly vulnerabel Debian/sid system.

At present I have installed

Zitat# apt-cache policy bash
bash:
  Installiert:           4.3-11

I'm writing in the siduction forum and - surprise - i run siduction on my machine. Kernel: 3.17-0.towo.2-siduction-amd64 x86_64 (64 bit), Desktop: KDE 4.14.1 Distro: aptosid 2011-01 Γῆρας - kde-full - (201102052200)


Subject was: shellshock still unfixed *except* in Debian unstable


For me this sounds like a very good information. We do run Debian Sid, don't we? And I guess most of us frequently do dist-upgrades. I do. My bash version is - surprise - 4.3-10.


$ apt-cache policy bash
bash:
  Installiert:           4.3-10
  Installationskandidat: 4.3-10
  Versionstabelle:
*** 4.3-10 0
        500 http://ftp2.de.debian.org/debian/ unstable/main amd64 Packages
        500 http://ftp2.de.debian.org/debian/ testing/main amd64 Packages
        100 /var/lib/dpkg/status
     4.2+dfsg-0.1 0
        500 http://ftp2.de.debian.org/debian/ stable/main amd64 Packages


I did some tests:


env x='() { :;}; echo shellshockverwundbar' bash -c ""
(nothing...)


env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: Datei oder Verzeichnis nicht gefunden


So why should I write a bug report?


/edit
I did my last upgrade yesterday (?). After apt-get update (a minute ago) I noticed that there is indeed a newer version of bash (4.3-11). But I guess my system wasn't vulnerable before updating as I did the tests I mentioned above. After updating bash I did it again. Same results.

I wrote what I wrote because in some days nobody will have a clue which version of Debian/sid/bash you refering to *unless* you mention it explicitly.

Now you did. Thanks.

ZitatSo why should I write a bug report?

and just for the record and to clarify: michaa7 is not directing it personally to anyone. It's just part of his signature.