Re: [SECURITY] [DSA 3032-1] bash security update

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 3032-1] bash security update
From: Michael Stone <mstone@debian.org>
Date: Thu, 25 Sep 2014 10:13:31 -0400
Message-id: <[🔎] 7cac97c6-44bc-11e4-8968-00163eeb5320@msgid.mathom.us>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20140925135438.GD10569@khazad-dum.debian.net>
References: <87bnq5glkh.fsf@mid.deneb.enyo.de> <[🔎] 5423E3B8.4030401@cyconet.org> <[🔎] 20140925135438.GD10569@khazad-dum.debian.net>

On Thu, Sep 25, 2014 at 10:54:38AM -0300, Henrique de Moraes Holschuh wrote:

I suggest everyone to do a spring cleanup in the login shells for system
accounts, and to deploy mitigation.

In general it's a good idea to have /bin/sh point to something otherthan bash. That's the default on current debian systems, but might notbe the case on systems which were upgraded. Use

  dpkg-reconfigure dash

to change that. There are still cases where the login shell will comeinto play, but the biggest worms crawling around are leveraging /bin/sh.

Note that if you've been running /bin/sh as bash, you may find localscripts which depend on bashisms--you'll want to test this, and it maynot be the best thing to do in a panic right now. But definitelyconsider it for the long term.


Mike Stone

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 3032-1] bash security update
  - From: Lupe Christoph <lupe@lupe-christoph.de>

References:
- Re: [SECURITY] [DSA 3032-1] bash security update
  - From: Jan Wagner <waja@cyconet.org>
- Re: [SECURITY] [DSA 3032-1] bash security update
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: [SECURITY] [DSA 3032-1] bash security update
Next by Date: Re: [SECURITY] [DSA 3032-1] bash security update
Previous by thread: Re: [SECURITY] [DSA 3032-1] bash security update
Next by thread: Re: [SECURITY] [DSA 3032-1] bash security update
Index(es):
- Date
- Thread