Remote exploit vulnerability in bash

Here you can discuss every aspect of Debian. Note: not for support requests!

Re: Remote exploit vulnerability in bash

Postby Hallvor » 2014-09-29 15:58



It looks like many people are looking at the code at the moment. Problems get fixed. I think that is a good thing.

Edit: Another bash upgrade today.
Lenovo Thinkpad T440S, Intel Core i7-4600U CPU @ 2.10GHz, 8 GB RAM, 256 GB SSD, Debian Buster (KDE)
User avatar
Hallvor
 
Posts: 949
Joined: 2009-04-16 18:35
Location: Norway

Re: Remote exploit vulnerability in bash

Postby dasein » 2014-09-29 17:18

Hallvor wrote:It looks like many people are looking at the code at the moment. Problems get fixed. I think that is a good thing.

Agreed. It's still worrisome (at least to me) that the vulnerabilities are as deep as they seem to be. And the continuing proliferation of not-really-a-fix "fixes" means that the number of folks who think it's fixed when it really isn't is growing.
User avatar
dasein
 
Posts: 7775
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Remote exploit vulnerability in bash

Postby texbrew » 2014-09-29 19:22

dasein wrote:
Hallvor wrote:It looks like many people are looking at the code at the moment. Problems get fixed. I think that is a good thing.

Agreed. It's still worrisome (at least to me) that the vulnerabilities are as deep as they seem to be. And the continuing proliferation of not-really-a-fix "fixes" means that the number of folks who think it's fixed when it really isn't is growing.


I guess count me among those who thought it was fixed... Will have to keep my ear to the ground on this one.

It is worrisome, but I'd still rather be running Debian linux over Windows any day. Don't know diddly about dash, but I guess that's an option.

tex
texbrew
 
Posts: 15
Joined: 2013-04-17 19:08

Re: Remote exploit vulnerability in bash

Postby koanhead » 2014-09-29 22:19

I saw on debian-devel that Ian Jackson had proposed removing the ability for bash to functions from the environment. That would remove the entire class of vulnerability, at a cost of killing a feature that it seems like few people use, though I have no real data on that last. Using `bash -p` has a similar effect.

dash can't import functions from the environment AFAIK. It lacks a lot of bash's features (like history and completion) so it isn't a good choice for an interactive shell (at least not for me) but is good for your shell scripts as long as they don't rely on bashisms.
User avatar
koanhead
 
Posts: 110
Joined: 2013-06-20 16:54

Re: Remote exploit vulnerability in bash

Postby mikef5644 » 2014-10-02 00:33

The bash shellshock problem appears to have been fixed in wheezy and squeeze i386.

The debian squeeze armel version is commonly used in NAS boxes and network drives. It appears to install dash by default if it matters.

I'm using a TonidoPlug2, when I run sudo aptitude update
it displays lines like this:
Hit http://security.debian.org squeeze/updates/main armel Packages

When I run sudo aptitude upgrade
it doesn't update bash.

~# cat /etc/issue
Debian GNU/Linux 6.0 \n \l

~# cat /etc/debian_version
6.0.10

~# cat /proc/version
Linux version 2.6.31.8-topkick1281p2-001-004-20101214 (andrew@localhost.localdomain) (gcc version 3.4.4 (release) (CodeSourcery ARM 2005q3-2)) #1 Thu Jun 16 10:06:20 CST 2011

Can we have the squeeze armel version patched as well.
mikef5644
 
Posts: 1
Joined: 2014-10-01 23:47

Re: Remote exploit vulnerability in bash

Postby dilberts_left_nut » 2014-10-02 02:46

Squeeze is EOL so won't be getting any (official) updates.
AFAIK squeeze-lts is i386/amd64 only.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5020
Joined: 2009-10-05 07:54
Location: enzed

Previous

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable