[guardian-dev] Update your servers for real

Lee Azzarello lee at guardianproject.info
Thu Sep 25 15:14:32 EDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This output is from a Debian stable base system built with debootstrap
and no additional packages installed.

root at debian:~# ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Jun 17 21:47 /bin/sh -> bash

I don't think Debian has used Dash since Sarge.

- -lee

On 9/25/14, 1:36 PM, Dev Random wrote:
> This seems mitigated by the fact that /bin/sh is -> dash on debian.
> So unless something does explicitly #!/bin/bash, things should be
> okay.
> 
> BTW, there's a related vuln that's not fixed yet - CVE-2014-7169 
> https://news.ycombinator.com/item?id=8365158
> 
> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:
>> A remote code execution bug was found in the GNU Bash shell.
>> 
>> http://seclists.org/oss-sec/2014/q3/650
>> 
>> I tested it on Debian stable from two days ago and indeed, I
>> could execute code after a function definition in an environment
>> variable. A server I updated yesterday evening was not
>> vulnerable, as the Debian team got a patch released quite fast.
>> 
>> This effects any server you run any code on, though the remote
>> code execution attack vector is unlikely for many contemporary
>> application servers. Read the write up for details about a proof
>> of concept.
>> 
>> Good Morning!
>> 
>> -lee _______________________________________________ Guardian-dev
>> mailing list
>> 
>> Post: Guardian-dev at lists.mayfirst.org List info:
>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>> 
>> To Unsubscribe Send email to:
>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit:
>> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>>
>>
>> 
You are subscribed as: c1.android at niftybox.net
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUJGmYAAoJEKhL9IoSyjdl76oP/1Dy2NF81v0845lPhJdlKRLm
HRiy15Ck5Fo7NXogQYMVQuJ44wrMHX1Y9RblGQYddsKT6fdHeO51ytLXqCVn6I6d
K1pzpMBEBs5hykma0/kefoCrNRXWscbIT1TEgcpN8E8XCc0jhF9Cb84Gb77Q+ULW
j3UCGIRgtSwaprHsehuwfzVSidJfT5clnJCYpEEF4fI8hfYnk7jyUy6CBUCSGLao
2at9n/UAFDk/vG/rcE/KnUesi+wUDMnijE5TsYGUj7H0SuBadB3JbvcxsJmEb5Bm
IaoxAJQO+GavJi/LyXnw1t5YJWlcyz6q9yCV2TOZ4pG+2cnYhLmTUrkgADIUHKcu
4R374ciaKe6p8QkXg4EXZeSJq3O/78Im3ZQMn26qG3C2R35pdBDXFwrvR7Zsotz0
OWyg0NHbJKaWM8FLdeF2SYzzPZEnoMg2Nkw6Dih22JnNceydPbmhVM8fwEIgq9lr
UOvCaYOJpU8ILeH5aOtVi8GMZUmCSARFQ5GlMu/ohb7b1H1IZwTROfrIVH7JU8L1
awGFhmq3/kCrapehPLRdoZl3YZUXTNH7rHViJ7gbsxcaO4TD9v7hqyyObAl1RQtK
XrZTQBCIvSLPMjYL2RyodZHm3aVoxA2cBqYyB8StTJN25/8Bx874va1rI2CVU+WE
Q38DjhmOkf4nJWi477Mr
=qoLt
-----END PGP SIGNATURE-----

More information about the Guardian-dev mailing list