Wow.
http://www.itnews.com.au/News/396256,fu ... ctive.aspx
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Remote exploit vulnerability in bash
- Hallvor
- Global Moderator
- Posts: 2044
- Joined: 2009-04-16 18:35
- Location: Kristiansand, Norway
- Has thanked: 151 times
- Been thanked: 212 times
Re: Remote exploit vulnerability in bash
It looks like many people are looking at the code at the moment. Problems get fixed. I think that is a good thing.
Edit: Another bash upgrade today.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD
Re: Remote exploit vulnerability in bash
Agreed. It's still worrisome (at least to me) that the vulnerabilities are as deep as they seem to be. And the continuing proliferation of not-really-a-fix "fixes" means that the number of folks who think it's fixed when it really isn't is growing.Hallvor wrote:It looks like many people are looking at the code at the moment. Problems get fixed. I think that is a good thing.
Re: Remote exploit vulnerability in bash
I guess count me among those who thought it was fixed... Will have to keep my ear to the ground on this one.dasein wrote:Agreed. It's still worrisome (at least to me) that the vulnerabilities are as deep as they seem to be. And the continuing proliferation of not-really-a-fix "fixes" means that the number of folks who think it's fixed when it really isn't is growing.Hallvor wrote:It looks like many people are looking at the code at the moment. Problems get fixed. I think that is a good thing.
It is worrisome, but I'd still rather be running Debian linux over Windows any day. Don't know diddly about dash, but I guess that's an option.
tex
Re: Remote exploit vulnerability in bash
I saw on debian-devel that Ian Jackson had proposed removing the ability for bash to functions from the environment. That would remove the entire class of vulnerability, at a cost of killing a feature that it seems like few people use, though I have no real data on that last. Using `bash -p` has a similar effect.
dash can't import functions from the environment AFAIK. It lacks a lot of bash's features (like history and completion) so it isn't a good choice for an interactive shell (at least not for me) but is good for your shell scripts as long as they don't rely on bashisms.
dash can't import functions from the environment AFAIK. It lacks a lot of bash's features (like history and completion) so it isn't a good choice for an interactive shell (at least not for me) but is good for your shell scripts as long as they don't rely on bashisms.
Re: Remote exploit vulnerability in bash
The bash shellshock problem appears to have been fixed in wheezy and squeeze i386.
The debian squeeze armel version is commonly used in NAS boxes and network drives. It appears to install dash by default if it matters.
I'm using a TonidoPlug2, when I run sudo aptitude update
it displays lines like this:
Hit http://security.debian.org squeeze/updates/main armel Packages
When I run sudo aptitude upgrade
it doesn't update bash.
~# cat /etc/issue
Debian GNU/Linux 6.0 \n \l
~# cat /etc/debian_version
6.0.10
~# cat /proc/version
Linux version 2.6.31.8-topkick1281p2-001-004-20101214 (andrew@localhost.localdomain) (gcc version 3.4.4 (release) (CodeSourcery ARM 2005q3-2)) #1 Thu Jun 16 10:06:20 CST 2011
Can we have the squeeze armel version patched as well.
The debian squeeze armel version is commonly used in NAS boxes and network drives. It appears to install dash by default if it matters.
I'm using a TonidoPlug2, when I run sudo aptitude update
it displays lines like this:
Hit http://security.debian.org squeeze/updates/main armel Packages
When I run sudo aptitude upgrade
it doesn't update bash.
~# cat /etc/issue
Debian GNU/Linux 6.0 \n \l
~# cat /etc/debian_version
6.0.10
~# cat /proc/version
Linux version 2.6.31.8-topkick1281p2-001-004-20101214 (andrew@localhost.localdomain) (gcc version 3.4.4 (release) (CodeSourcery ARM 2005q3-2)) #1 Thu Jun 16 10:06:20 CST 2011
Can we have the squeeze armel version patched as well.
- dilberts_left_nut
- Administrator
- Posts: 5347
- Joined: 2009-10-05 07:54
- Location: enzed
- Has thanked: 13 times
- Been thanked: 66 times
Re: Remote exploit vulnerability in bash
Squeeze is EOL so won't be getting any (official) updates.
AFAIK squeeze-lts is i386/amd64 only.
AFAIK squeeze-lts is i386/amd64 only.
AdrianTM wrote:There's no hacker in my grandma...