Debian User Forums

[dasein]

FYI: http://www.csoonline.com/article/268726 ... -6271.html

[kedaha]

Thanks for your post; I see at dsa-3032:

For the stable distribution (wheezy), this problem has been fixed in version 4.2+dfsg-0.1+deb7u1.

So I've updated server and desktop immediately.

Code: Select all

# aptitude dist-upgrade
The following packages will be upgraded:
  apt apt-utils bash libapt-inst1.5 libapt-pkg4.12

Fixed.

[Hallvor]

Thank you.

[kedaha]

I see it's been called the "Shell Shock Bug". And the the news media are making quite a meal out of it.
Anyway, just in case: DashAsBinSh.

[Spock]

https://security-tracker.debian.org/tra ... -2014-6271
https://security-tracker.debian.org/tra ... -2014-7169

[dasein]

And the script kiddies are off... http://www.itnews.com.au/News/396197,fi ... works.aspx

[dasein]

Sometimes the obvious fix isn't actually, well, you know... a fix.

http://arstechnica.com/security/2014/09 ... first-fix/

[Spock]

http://en.wikipedia.org/wiki/Shellshock ... are_bug%29

[kedaha]

My server's configured to use dash:

Code: Select all

$ apt-cache policy dash
dash:
  Installed: 0.5.7-3

Out of curiosity, I simulated (since curiosity killed the cat) removing bash and got:

Code: Select all

$ aptitude remove -s bash
The following packages will be REMOVED: 
  bash
0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 3,739 kB will be freed.
The following ESSENTIAL packages will be REMOVED!
  bash

WARNING: Performing this action will probably cause your system to break!
         Do NOT continue unless you know EXACTLY what you are doing!
To continue, type the phrase "I am aware that this is a very bad idea":
I am aware that this is a very bad idea
Would download/install/remove packages.

I have no intention of removing bash but, I just wondered if this might also be "a very bad idea" when the system has been reconfigured to use dash as the default system shell. My guess is that it could be removed providing essential dependences didn't get removed with it.

[micksulley]

How do I fix this????

My version is
Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3

I have run
apt-get update
apt-get upgrade
and it tells me everything is up to date but running the test I get

mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test

Advise please????

[n_hologram]

have you tried:

# apt-get dist-upgrade

[micksulley]

Yes I tried that and it didn't work -

Code: Select all

mick@mick-deb-laptop:~$ sudo apt-get dist-upgrade
[sudo] password for mick:
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
mick@mick-deb-laptop:~$
mick@mick-deb-laptop:~$
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
mick@mick-deb-laptop:~$



[Bulkley]

mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test

Advise please????

Show us your sources.

[micksulley]

deb http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
deb http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb http://ftp.uk.debian.org/debian/ wheezy main non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy main non-free
deb http://www.deb-multimedia.org/ wheezy main non-free
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

[dasein]

Repo mixing and matching doesn't work across stable versions, either.

If you've been running Debian for two years, then it's probably time to learn the basics of Debian releases and repositories.

https://www.debian.org/releases/
https://wiki.debian.org/SourcesList