[GLLUG] Bash Bug
James Roberts
j.roberts at stabilys.com
Thu Sep 25 16:52:53 UTC 2014
On 25/09/14 16:54, Iain M Conochie wrote:
> Sorry mate, but this is a bash bug, and is not confined only to RHEL /
> CentOS:
>
>
> >$ env x='() { :;}; \
> echo vulnerable' bash -c "echo this is a test"
> vulnerable
> this is a test
> >$ cat /etc/debian_version
> 6.0.10
> >$ bash --version
> GNU bash, version 4.1.5(1)-release (i486-pc-linux-gnu)
> Copyright (C) 2009 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
I don't get that result on our Debian 7 instances pre-patch (perhaps due
to our config?)
# env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
completed
It's better after the patch though.
All the CentOS failed.
--
Stabilys Ltd www.stabilys.com
244 Kilburn Lane
LONDON
W10 4BA
0845 838 5370
More information about the GLLUG
mailing list