Re: bash vulnerability jessie

To: debian-user@lists.debian.org
Subject: Re: bash vulnerability jessie
From: Harry Putnam <reader@newsguy.com>
Date: Fri, 26 Sep 2014 14:56:15 -0400
Message-id: <[🔎] 87ioka2ots.fsf@reader.local.lan>
References: <[🔎] 87sije2x62.fsf@reader.local.lan> <[🔎] 54259088.6010805@fastmail.fm>

The Wanderer <wanderer@fastmail.fm> writes:

> On 09/26/2014 at 11:56 AM, Harry Putnam wrote:
>
>> After an `aptitude full-upgrade' this morning.  I still get the
>> `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :'
>>
>> I hope that is the correct string... (extracted while googling on
>> vulnerability)
>
> I've seen a few different ones, and that isn't any of them, but it seems
> to work just as well as the "canonical" one which I've seen demonstrate
> the vulnerability in the past.

[...]

Thanks for that input.

>
>> I did ssh to my user from the same shell I ran aptitude in to make
>> sure I had a new login... but I still see `Vulnerable' in answer
>> to the string above.
>
> With what version of bash?

> I just upgraded to 4.3-9.1, from current testing, which includes the
> existing partial fix (a more complete one is apparently now in sid). I
> retested with the same test command you listed, as well as with what I'd
> seen the failyure on before, and it now shows as non-vulnerable.

[...] 

I appear to have left out the fact that I'm talking about `jessie'.
Sorry, a foolish slip... I usually do include that info.

I may be a simpleton but I assumed anyone freshly `full-upgraded' with
jessie  would have the same version.

Apparently not... here, after a full-upgrade of jessie about 2 hrs ago
at a litte before noon or so Eastern standard (US) time I see:

   bash --version
  GNU bash, version 4.3.24(1)-release (i586-pc-linux-gnu)

   x='() { :;}; echo VULNERABLE' bash -c :
  VULNERABLE

But also I did read in the few threads that have come thru that either
wheezy or jessie  (very recently upgraded)  should not return
`VULNERABLE',

That is not tru for me here.  It appears your version of bash if a bit
newer than mine... so I guess it has been updated withing a few hours.

However, as I mentioned above from what I've read in our threads, a
full-upgrade only 2 hrs old should not have a version of bash that
returns VULNERABLE.

> In practice, if your computer doesn't run any services (such as a Web or
> SSH server) that can be accessed from a non-trusted IP address (such as
> the outside Internet), you're probably safe.

That pretty well describes me ... I run a ssh and web server on a home
lan so no ssh or www requests from the internet are allowed.  Just the
nome network. ...

As a matter of course I have `gone out of my way' as you say for yrs
so maybe not too much threat here.

Thanks for the input..

Reply to:

Follow-Ups:
- Re: bash vulnerability jessie
  - From: The Wanderer <wanderer@fastmail.fm>
- Re: bash vulnerability jessie
  - From: Joe <joe@jretrading.com>

References:
- bash vulnerability jessie
  - From: Harry Putnam <reader@newsguy.com>
- Re: bash vulnerability jessie
  - From: The Wanderer <wanderer@fastmail.fm>

Prev by Date: Re: Let's have a vote!
Next by Date: Re: systemd and server use
Previous by thread: Re: bash vulnerability jessie
Next by thread: Re: bash vulnerability jessie
Index(es):
- Date
- Thread