[GLLUG] Bash Bug

[Iain M Conochie]

On 25/09/14 17:24, John Edwards wrote:
> Hi
>
> On Thu, Sep 25, 2014 at 05:11:48PM +0100, Iain M Conochie wrote:
>> <snip>
>>> Debian has pushed out updates for wheezy (7), but I haven't seen
>>> any updates for squeeze (6), yet!
>> Aye - I have shutdown my squeeze webserver just in case.... Are
>> there still updates for squeeze? I have not seen any for a while...
> <snip>
>
> The old situation was that on a new release the previous stable would
> become oldstable and then be supported for a year.
>
> As Wheezy (Debian 7) was released in May 2013 this would normally mean
> that Squeeze (Debian 6) would only be supported until May 2014.
>
> But in April 2014 it was announced that support for Squeeze would run
> for a 5 year lifetime and end in February 2016:
> 	https://lists.debian.org/debian-security-announce/2014/msg00082.html
> 	https://lists.debian.org/debian-devel-announce/2014/03/msg00004.html
>
> But ongoing security support is not done by the Debian Security team
> (so packages releases may not happen at the same time) and you need to
> use a different repository:
> 	https://wiki.debian.org/LTS/
> 	https://wiki.debian.org/LTS/Using#Add_squeeze-lts_to_your_sources.list
>
> So to me that says there is some ongoing security support, but if you
> have publically accessible servers you really should look to upgrade
> them to Wheezy.
>
>
Nice one John! Yes, it seems that have released a patch:

 >$ env x='() { :;}; \
 > echo vulnerable'  bash -c "echo this is a test"
bash: line 1: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
 >$ bash --version
GNU bash, version 4.1.5(1)-release (i486-pc-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
<http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Cheers

Iain