I'm confused. The article you linked is instructions to install dash and configure a base system to use it as default. Am I misunderstanding something?<div><br></div><div>-lee<br><br>On Thursday, September 25, 2014, Hans-Christoph Steiner <<a href="mailto:hans@guardianproject.info">hans@guardianproject.info</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
dash is still the default /bin/sh, for speed and security, but you can change<br>
that to bash if you want:<br>
<a href="https://wiki.debian.org/DashAsBinSh" target="_blank">https://wiki.debian.org/DashAsBinSh</a><br>
<br>
Ubuntu also uses dash by default:<br>
<a href="https://wiki.ubuntu.com/DashAsBinSh" target="_blank">https://wiki.ubuntu.com/DashAsBinSh</a><br>
<br>
.hc<br>
<br>
Lee Azzarello wrote:<br>
> This output is from a Debian stable base system built with debootstrap<br>
> and no additional packages installed.<br>
><br>
> root@debian:~# ls -l /bin/sh<br>
> lrwxrwxrwx 1 root root 4 Jun 17 21:47 /bin/sh -> bash<br>
><br>
> I don't think Debian has used Dash since Sarge.<br>
><br>
> -lee<br>
><br>
> On 9/25/14, 1:36 PM, Dev Random wrote:<br>
>> This seems mitigated by the fact that /bin/sh is -> dash on debian.<br>
>> So unless something does explicitly #!/bin/bash, things should be<br>
>> okay.<br>
><br>
>> BTW, there's a related vuln that's not fixed yet - CVE-2014-7169<br>
>> <a href="https://news.ycombinator.com/item?id=8365158" target="_blank">https://news.ycombinator.com/item?id=8365158</a><br>
><br>
>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:<br>
>>> A remote code execution bug was found in the GNU Bash shell.<br>
>>><br>
>>> <a href="http://seclists.org/oss-sec/2014/q3/650" target="_blank">http://seclists.org/oss-sec/2014/q3/650</a><br>
>>><br>
>>> I tested it on Debian stable from two days ago and indeed, I<br>
>>> could execute code after a function definition in an environment<br>
>>> variable. A server I updated yesterday evening was not<br>
>>> vulnerable, as the Debian team got a patch released quite fast.<br>
>>><br>
>>> This effects any server you run any code on, though the remote<br>
>>> code execution attack vector is unlikely for many contemporary<br>
>>> application servers. Read the write up for details about a proof<br>
>>> of concept.<br>
>>><br>
>>> Good Morning!<br>
>>><br>
>>> -lee _______________________________________________ Guardian-dev<br>
>>> mailing list<br>
>>><br>
>>> Post: <a href="javascript:;" onclick="_e(event, 'cvml', 'Guardian-dev@lists.mayfirst.org')">Guardian-dev@lists.mayfirst.org</a> List info:<br>
>>> <a href="https://lists.mayfirst.org/mailman/listinfo/guardian-dev" target="_blank">https://lists.mayfirst.org/mailman/listinfo/guardian-dev</a><br>
>>><br>
>>> To Unsubscribe Send email to:<br>
>>> <a href="javascript:;" onclick="_e(event, 'cvml', 'Guardian-dev-unsubscribe@lists.mayfirst.org')">Guardian-dev-unsubscribe@lists.mayfirst.org</a> Or visit:<br>
>>> <a href="https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net" target="_blank">https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net</a><br>
>>><br>
>>><br>
>>><br>
> You are subscribed as: <a href="javascript:;" onclick="_e(event, 'cvml', 'c1.android@niftybox.net')">c1.android@niftybox.net</a><br>
><br>
><br>
> _______________________________________________<br>
> Guardian-dev mailing list<br>
><br>
> Post: <a href="javascript:;" onclick="_e(event, 'cvml', 'Guardian-dev@lists.mayfirst.org')">Guardian-dev@lists.mayfirst.org</a><br>
> List info: <a href="https://lists.mayfirst.org/mailman/listinfo/guardian-dev" target="_blank">https://lists.mayfirst.org/mailman/listinfo/guardian-dev</a><br>
><br>
> To Unsubscribe<br>
>Â Â Â Â Â Send email to:Â <a href="javascript:;" onclick="_e(event, 'cvml', 'Guardian-dev-unsubscribe@lists.mayfirst.org')">Guardian-dev-unsubscribe@lists.mayfirst.org</a><br>
>Â Â Â Â Â Or visit: <a href="https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info" target="_blank">https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info</a><br>
><br>
> You are subscribed as: <a href="javascript:;" onclick="_e(event, 'cvml', 'hans@guardianproject.info')">hans@guardianproject.info</a><br>
><br>
<br>
--<br>
PGP fingerprint: 5E61 C878 0F86 295C E17DÂ 8677 9F0F E587 374B BE81<br>
_______________________________________________<br>
Guardian-dev mailing list<br>
<br>
Post: <a href="javascript:;" onclick="_e(event, 'cvml', 'Guardian-dev@lists.mayfirst.org')">Guardian-dev@lists.mayfirst.org</a><br>
List info: <a href="https://lists.mayfirst.org/mailman/listinfo/guardian-dev" target="_blank">https://lists.mayfirst.org/mailman/listinfo/guardian-dev</a><br>
<br>
To Unsubscribe<br>
    Send email to: <a href="javascript:;" onclick="_e(event, 'cvml', 'Guardian-dev-unsubscribe@lists.mayfirst.org')">Guardian-dev-unsubscribe@lists.mayfirst.org</a><br>
    Or visit: <a href="https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info" target="_blank">https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info</a><br>
<br>
You are subscribed as: <a href="javascript:;" onclick="_e(event, 'cvml', 'lee@guardianproject.info')">lee@guardianproject.info</a><br>
</blockquote></div>