Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
On Thursday, September 25, 2014 13:59:40 Joe Loiacono wrote:
> By default I have seemingly assumed sysadmin duties for a host running
> Debian 6.0.7 (squeeze). So (not having done a lot of this before) ...
>
>
> 1) the system bash is vulnerable
>
> > env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>
> vulnerable
> this is a test
>
> 2) bash is version 4.1.5
>
> host: bash --version
> GNU bash, version 4.1.5(1)-release (i486-pc-linux-gnu)
>
> 3) There are no upgrades
>
> $ apt-get install bash
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> bash is already the newest version.
>
> Would you mind recommending how best I should proceed?
>
> Thank you,
>
> Joe Loiacono
Joe -
I updated my Squeeze box this morning. Try as root:
apt-get update
then ---
apt-get upgrade
Mike
--
Mike McGinn KD2CNU
Be happy that brainfarts don't smell.
No electrons were harmed in sending this message, some were inconvenienced.
** Registered Linux User 377849
Reply to: