Re: Magic String – apache2 and bash

To: debian-lts@lists.debian.org
Subject: Re: Magic String – apache2 and bash
From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
Date: Fri, 10 Apr 2015 13:57:38 +0200
Message-id: <[🔎] 20150410115737.GA15767@fantomas.sk>
Mail-followup-to: debian-lts@lists.debian.org
In-reply-to: <[🔎] 14ca3209e22-44af-677@webprd-m46.mail.aol.com>
References: <[🔎] 14ca3209e22-44af-677@webprd-m46.mail.aol.com>

On 10.04.15 07:39, udeppe@aol.com wrote:

we have running an full patched Debian 6 server (patch level is up to date).
Periodically, vulnerability checks will be made by external security services.
The affected server is an VM primary used as webserver. No database or something else.

At 09. Apr 2015 we had an attack, as described here: http://www.volexity.com/blog/?p=118

The configuration of the server has been checked.
Tests on the console are negative, the shell "Bash" is "Shellshock" safe.
We suspect that the scenario only works in combination of the components – apache2 and bash (4.1-3+deb6u2).


note that most of problems comes out of calling /bin/sh by system commands
and functions
debian does use "dash" as /bin/sh since squeeze (and it was possible to set
it up even before, and I for example did it).

...fixed bash version has been uploaded to squeeze-lts on 2014-09-25
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!

Reply to:

References:
- Magic String – apache2 and bash
  - From: udeppe@aol.com

Prev by Date: Magic String – apache2 and bash
Next by Date: Re: Members of the LTS team and company affiliation
Previous by thread: Magic String – apache2 and bash
Next by thread: squeeze update of chrony?
Index(es):
- Date
- Thread