Remote exploit vulnerability in bash

[dasein]

Wow.

http://www.itnews.com.au/News/396256,fu ... ctive.aspx

[Hallvor]

Wow.

http://www.itnews.com.au/News/396256,fu ... ctive.aspx

It looks like many people are looking at the code at the moment. Problems get fixed. I think that is a good thing.

Edit: Another bash upgrade today.

[dasein]

It looks like many people are looking at the code at the moment. Problems get fixed. I think that is a good thing.

Agreed. It's still worrisome (at least to me) that the vulnerabilities are as deep as they seem to be. And the continuing proliferation of not-really-a-fix "fixes" means that the number of folks who think it's fixed when it really isn't is growing.

[texbrew]

It looks like many people are looking at the code at the moment. Problems get fixed. I think that is a good thing.

Agreed. It's still worrisome (at least to me) that the vulnerabilities are as deep as they seem to be. And the continuing proliferation of not-really-a-fix "fixes" means that the number of folks who think it's fixed when it really isn't is growing.

I guess count me among those who thought it was fixed... Will have to keep my ear to the ground on this one.

It is worrisome, but I'd still rather be running Debian linux over Windows any day. Don't know diddly about dash, but I guess that's an option.

tex

[koanhead]

I saw on debian-devel that Ian Jackson had proposed removing the ability for bash to functions from the environment. That would remove the entire class of vulnerability, at a cost of killing a feature that it seems like few people use, though I have no real data on that last. Using `bash -p` has a similar effect.

dash can't import functions from the environment AFAIK. It lacks a lot of bash's features (like history and completion) so it isn't a good choice for an interactive shell (at least not for me) but is good for your shell scripts as long as they don't rely on bashisms.

[mikef5644]

The bash shellshock problem appears to have been fixed in wheezy and squeeze i386.

The debian squeeze armel version is commonly used in NAS boxes and network drives. It appears to install dash by default if it matters.

I'm using a TonidoPlug2, when I run sudo aptitude update
it displays lines like this:
Hit http://security.debian.org squeeze/updates/main armel Packages

When I run sudo aptitude upgrade
it doesn't update bash.

~# cat /etc/issue
Debian GNU/Linux 6.0 \n \l

~# cat /etc/debian_version
6.0.10

~# cat /proc/version
Linux version 2.6.31.8-topkick1281p2-001-004-20101214 (andrew@localhost.localdomain) (gcc version 3.4.4 (release) (CodeSourcery ARM 2005q3-2)) #1 Thu Jun 16 10:06:20 CST 2011

Can we have the squeeze armel version patched as well.

[dilberts_left_nut]

Squeeze is EOL so won't be getting any (official) updates.
AFAIK squeeze-lts is i386/amd64 only.