Re: bash vulnerability jessie
The Wanderer <wanderer@fastmail.fm> writes:
> On 09/26/2014 at 11:56 AM, Harry Putnam wrote:
>
>> After an `aptitude full-upgrade' this morning. I still get the
>> `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :'
>>
>> I hope that is the correct string... (extracted while googling on
>> vulnerability)
>
> I've seen a few different ones, and that isn't any of them, but it seems
> to work just as well as the "canonical" one which I've seen demonstrate
> the vulnerability in the past.
[...]
Thanks for that input.
>
>> I did ssh to my user from the same shell I ran aptitude in to make
>> sure I had a new login... but I still see `Vulnerable' in answer
>> to the string above.
>
> With what version of bash?
> I just upgraded to 4.3-9.1, from current testing, which includes the
> existing partial fix (a more complete one is apparently now in sid). I
> retested with the same test command you listed, as well as with what I'd
> seen the failyure on before, and it now shows as non-vulnerable.
[...]
I appear to have left out the fact that I'm talking about `jessie'.
Sorry, a foolish slip... I usually do include that info.
I may be a simpleton but I assumed anyone freshly `full-upgraded' with
jessie would have the same version.
Apparently not... here, after a full-upgrade of jessie about 2 hrs ago
at a litte before noon or so Eastern standard (US) time I see:
bash --version
GNU bash, version 4.3.24(1)-release (i586-pc-linux-gnu)
x='() { :;}; echo VULNERABLE' bash -c :
VULNERABLE
But also I did read in the few threads that have come thru that either
wheezy or jessie (very recently upgraded) should not return
`VULNERABLE',
That is not tru for me here. It appears your version of bash if a bit
newer than mine... so I guess it has been updated withing a few hours.
However, as I mentioned above from what I've read in our threads, a
full-upgrade only 2 hrs old should not have a version of bash that
returns VULNERABLE.
> In practice, if your computer doesn't run any services (such as a Web or
> SSH server) that can be accessed from a non-trusted IP address (such as
> the outside Internet), you're probably safe.
That pretty well describes me ... I run a ssh and web server on a home
lan so no ssh or www requests from the internet are allowed. Just the
nome network. ...
As a matter of course I have `gone out of my way' as you say for yrs
so maybe not too much threat here.
Thanks for the input..
Reply to: