Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

To: debian-user@lists.debian.org
Subject: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
From: Joe Loiacono <jloiacon@csc.com>
Date: Thu, 25 Sep 2014 13:59:40 -0400
Message-id: <[🔎] OF821C07F2.B5EE14BC-ON85257D5E.0061095A-85257D5E.0062D906@csc.com>

By default I have seemingly assumed sysadmin duties for a host running Debian 6.0.7 (squeeze). So (not having done a lot of this before) ...

1) the system bash is vulnerable

> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

2) bash is version 4.1.5

host: bash --version
GNU bash, version 4.1.5(1)-release (i486-pc-linux-gnu)

3) There are no upgrades

$ apt-get install bash
Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.

Would you mind recommending how best I should proceed?

Thank you,

Joe Loiacono

Reply to:

Follow-Ups:
- Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
  - From: Brian <ad44@cityscape.co.uk>
- Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
  - From: Mike McGinn <mikemcginn@mcginnweb.net>

Prev by Date: Re: XFCE4 screen resolution stuck too low
Next by Date: Re: DNS Resolution and Short Names with Dots
Previous by thread: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Next by thread: Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
Index(es):
- Date
- Thread