[guardian-dev] Update your servers for real

Dev Random c1.devrandom at niftybox.net
Thu Sep 25 13:36:34 EDT 2014


This seems mitigated by the fact that /bin/sh is -> dash on debian.  So
unless something does explicitly #!/bin/bash, things should be okay.

BTW, there's a related vuln that's not fixed yet - CVE-2014-7169
https://news.ycombinator.com/item?id=8365158

On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:
> A remote code execution bug was found in the GNU Bash shell.
> 
> http://seclists.org/oss-sec/2014/q3/650
> 
> I tested it on Debian stable from two days ago and indeed, I could
> execute code after a function definition in an environment variable. A
> server I updated yesterday evening was not vulnerable, as the Debian
> team got a patch released quite fast.
> 
> This effects any server you run any code on, though the remote code
> execution attack vector is unlikely for many contemporary application
> servers. Read the write up for details about a proof of concept.
> 
> Good Morning!
> 
> -lee
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
> 
> You are subscribed as: c1.android at niftybox.net

-- 
Miron / devrandom





More information about the Guardian-dev mailing list