[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

On Thursday, September 25, 2014 13:59:40 Joe Loiacono wrote:
> By default I have seemingly assumed sysadmin duties for a host running
> Debian 6.0.7 (squeeze). So (not having done a lot of this before) ...
> 
> 
> 1) the system bash is vulnerable
> 
> > env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
> 
> vulnerable
> this is a test
> 
> 2) bash is version 4.1.5
> 
> host: bash --version
> GNU bash, version 4.1.5(1)-release (i486-pc-linux-gnu)
> 
> 3) There are no upgrades
> 
> $ apt-get install bash
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> bash is already the newest version.
> 
> Would you mind recommending how best I should proceed?
> 
> Thank you,
> 
> Joe Loiacono

Joe -
I updated my Squeeze box this morning. Try as root:
apt-get update 
then ---
apt-get upgrade


Mike

-- 
Mike McGinn		KD2CNU
Be happy that brainfarts don't smell.
No electrons were harmed in sending this message, some were inconvenienced.
** Registered Linux User 377849
Reply to: