[olug] Bash Bug Info

Aric Aasgaard aric at omahax.com
Thu Sep 25 13:00:54 CDT 2014


I agree with Swackhamer's comment
https://bugzilla.redhat.com/show_bug.cgi?id=1141597
......it looks like RedHat patch didn't really fix it 

-----Original Message-----
From: olug-bounces at olug.org [mailto:olug-bounces at olug.org] On Behalf Of Lou
Duchez
Sent: Thursday, September 25, 2014 12:08 PM
To: Omaha Linux User Group
Subject: Re: [olug] Bash Bug Info

I'm pretty sure you're okay; take a look at this page:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen
t-variables-code-injection-attack/

More or less the same test as you were running, and they are explicit that
it's not a problem if you get the final "echo" message, provided it craps
out on the function definition attempt.

> I just ran the test script below - ok needed updates.
>
> Did the updates, reran the script
>
> Now I'm getting error importing x  but Hello is still echoed at the end.
>
> Is this expected?
>
> The system claims no more updates marked needed.
>
> Thanks
> ---- jay swackhamer <reboottheuser at gmail.com> wrote:
> Has anyone ever thought that a vulnerability announcement like this, 
> would be an efficient way to deliver another vulnerability inside the 
> package, and guarantee that most will install it on their systems?
>
> On Thu, Sep 25, 2014 at 6:26 AM, Brian Roberson <roberson at bstc.net> wrote:
>
>> Busy day for all us sys admins.
>>
>> Quick vulnerability check:
>>
>> env x='() { :;}; echo vulnerable' bash -c 'echo hello'
>>
>>
>> if you get anything but an error, you need to patch quickly!
>>
>>
>> http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug

_______________________________________________
OLUG mailing list
OLUG at olug.org
https://lists.olug.org/mailman/listinfo/olug



More information about the OLUG mailing list