Re: bash vulnerability jessie

To: debian-user@lists.debian.org
Subject: Re: bash vulnerability jessie
From: The Wanderer <wanderer@fastmail.fm>
Date: Fri, 26 Sep 2014 12:12:56 -0400
Message-id: <[🔎] 54259088.6010805@fastmail.fm>
In-reply-to: <[🔎] 87sije2x62.fsf@reader.local.lan>
References: <[🔎] 87sije2x62.fsf@reader.local.lan>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 09/26/2014 at 11:56 AM, Harry Putnam wrote:

> After an `aptitude full-upgrade' this morning.  I still get the 
> `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :'
> 
> I hope that is the correct string... (extracted while googling on 
> vulnerability)

I've seen a few different ones, and that isn't any of them, but it seems
to work just as well as the "canonical" one which I've seen demonstrate
the vulnerability in the past.

> I did ssh to my user from the same shell I ran aptitude in to make 
> sure I had a new login... but I still see `Vulnerable' in answer
> to the string above.

With what version of bash?

I just upgraded to 4.3-9.1, from current testing, which includes the
existing partial fix (a more complete one is apparently now in sid). I
retested with the same test command you listed, as well as with what I'd
seen the failyure on before, and it now shows as non-vulnerable.

> Incidentally I get that same `Vulnerable' answer to `ksh' as well. 
> After googling a bit about ksh... I haven't really found solid
> info about whether ksh is a problem too.
> 
> I was a little surprised to see so little mention of this bash
> thing here too.
> 
> Is this bash vulnerability not really a major concern?

Security analysts say it's potentially a bigger problem than Heartbleed.
(It's going by the name "Shellshock" for handy reference, rather than
having to talk about "that bash vulnerability" or the like.)

In practice, if your computer doesn't run any services (such as a Web or
SSH server) that can be accessed from a non-trusted IP address (such as
the outside Internet), you're probably safe.

But almost every Debian install includes at least a SSH server, and if
you haven't gone out of your way to arrange otherwise, it can probably
be reached from the outside Internet by someone who knows the correct IP
address.

(Exactly which outside-accessible services do and don't expose the
vulnerability isn't very clear at the moment AFAIK, so it's better to
err on the safe side and assume they all do until evidence one way or
the other can be found.)

- -- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man.         -- George Bernard Shaw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUJZCIAAoJEASpNY00KDJrvYIP/3sRT2hvyncMqui9zLs/Xrmf
kAUUCghkjcJfl9GqN0axSbNvc2CtkhSnMDmRy0D16KXLHc4UAG2y3hwqgcucQSaY
1KC3PhpfeSyRqfkns7OJjNXNkqPFVJfY/xWw8kIo1Q0rbKjzY9cuX6/WhtCQvxuE
T/W12MBNTaviEm0bPs+KokegUP0C3NEkJ3J0zPRabTjmBtUQmy5FwL+HKMXEo/yf
FSWv0JjlVZAGvsQwXvwVPP5SyPsEK2gk3011mt3QUyRlyuPjDlz2Be3vPynPzw9+
bere6X6AkozMbzLRwDClGlzjQfv+RVYe5leeZMV6u23aTe1AbFMi6POlLgtBL2YL
BKCNFxRD9UmQFPUsNrDqfp+bsdLMtjQrd/TNr0La6ejW+JoTzGIVk+kNm9WQOskM
qJ+nWqlvIOqz7xaxe44S9JeJoudV4CYpIMqYjldN85DhiGcfKtZeGFDI87be/HqT
sczOxKlX/HzQBslGMge2ryXEWi4kh7tdsO/VDzypL49myf6lYA8Stu85zDh9Qdez
8PkKlDCjMl6Ti2kDMjdDNGSboOAGnlAJ0hzyPrCjgHlBT5l5WSQ1A6T2LwtakX9x
wp/WqW4p0xIpLU1hIwJuGpL6qA8whoinrojuI+W2O48VxGcLxDOg5FXg6Rg4K8zr
hzvbY9Nm9WIzfiLYq6hS
=2LDj
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: bash vulnerability jessie
  - From: Ross Boylan <rossboylan@stanfordalumni.org>
- Re: bash vulnerability jessie
  - From: Harry Putnam <reader@newsguy.com>

References:
- bash vulnerability jessie
  - From: Harry Putnam <reader@newsguy.com>

Prev by Date: Re: bash vulnerability jessie
Next by Date: Re: Has the Bash vulnerability been fixed on Jessie yet?
Previous by thread: Re: bash vulnerability jessie
Next by thread: Re: bash vulnerability jessie
Index(es):
- Date
- Thread