PSA: #shellshock still unfixed except in Debian unstable

Begonnen von pit, 2014/10/08, 16:51:10

Vorheriges Thema - Nächstes Thema
Drucken
Nach unten Seiten1
Benutzer-Aktionen

pit

2014/10/08, 16:51:10
Interesting:

ZitatI just installed, for work, Hanno Böck's bashcheck utility on our monitoring system, and watched all¹ systems go blue.
① All but two. One is not executing remote scripts from the monitoring for security reasons, the other is my desktop which runs Debian "sid" (unstable).
This means that all those distributions still have unfixed #shellshock bugs.
http://evolvisforge.blog.tarent.de/archives/93

michaa7

#1
2014/10/08, 17:42:24
Thanks. Your posting would be much more helpfull if you posted the bash version of your still possibly vulnerabel Debian/sid system.

At present I have installed
Zitat# apt-cache policy bash
bash:
  Installiert:           4.3-11
Ok, you can't code, but you still might be able to write a bug report for Debian's sake

pit

#2
2014/10/08, 19:42:37 Letzte Bearbeitung: 2014/10/08, 19:52:01 von pit

I'm writing in the siduction forum and - surprise - i run siduction on my machine. Kernel: 3.17-0.towo.2-siduction-amd64 x86_64 (64 bit), Desktop: KDE 4.14.1 Distro: aptosid 2011-01 Γῆρας - kde-full - (201102052200)


Subject was: shellshock still unfixed *except* in Debian unstable


For me this sounds like a very good information. We do run Debian Sid, don't we? And I guess most of us frequently do dist-upgrades. I do. My bash version is - surprise - 4.3-10.


Code Auswählen
$ apt-cache policy bash
bash:
  Installiert:           4.3-10
  Installationskandidat: 4.3-10
  Versionstabelle:
*** 4.3-10 0
        500 http://ftp2.de.debian.org/debian/ unstable/main amd64 Packages
        500 http://ftp2.de.debian.org/debian/ testing/main amd64 Packages
        100 /var/lib/dpkg/status
     4.2+dfsg-0.1 0
        500 http://ftp2.de.debian.org/debian/ stable/main amd64 Packages


I did some tests:


Code Auswählen
env x='() { :;}; echo shellshockverwundbar' bash -c ""
(nothing...)


env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: Datei oder Verzeichnis nicht gefunden


So why should I write a bug report?


/edit
I did my last upgrade yesterday (?). After apt-get update (a minute ago) I noticed that there is indeed a newer version of bash (4.3-11). But I guess my system wasn't vulnerable before updating as I did the tests I mentioned above. After updating bash I did it again. Same results.

michaa7

#3
2014/10/09, 00:50:44 Letzte Bearbeitung: 2014/10/09, 01:11:11 von michaa7
I wrote what I wrote because in some days nobody will have a clue which version of Debian/sid/bash you refering to *unless* you mention it explicitly.

Now you did. Thanks.
Ok, you can't code, but you still might be able to write a bug report for Debian's sake

tuxic

#4
2014/10/09, 14:22:02
ZitatSo why should I write a bug report?


and just for the record and to clarify: michaa7 is not directing it personally to anyone. It's just part of his signature.
"Many people live and die..., and all they do is process groceries."
                  H. Peavey
Drucken
Nach oben Seiten1
Benutzer-Aktionen