[guardian-dev] Update your servers for real
Hans-Christoph Steiner
hans at guardianproject.info
Thu Sep 25 20:28:38 EDT 2014
dash is still the default /bin/sh, for speed and security, but you can change
that to bash if you want:
https://wiki.debian.org/DashAsBinSh
Ubuntu also uses dash by default:
https://wiki.ubuntu.com/DashAsBinSh
.hc
Lee Azzarello wrote:
> This output is from a Debian stable base system built with debootstrap
> and no additional packages installed.
>
> root at debian:~# ls -l /bin/sh
> lrwxrwxrwx 1 root root 4 Jun 17 21:47 /bin/sh -> bash
>
> I don't think Debian has used Dash since Sarge.
>
> -lee
>
> On 9/25/14, 1:36 PM, Dev Random wrote:
>> This seems mitigated by the fact that /bin/sh is -> dash on debian.
>> So unless something does explicitly #!/bin/bash, things should be
>> okay.
>
>> BTW, there's a related vuln that's not fixed yet - CVE-2014-7169
>> https://news.ycombinator.com/item?id=8365158
>
>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:
>>> A remote code execution bug was found in the GNU Bash shell.
>>>
>>> http://seclists.org/oss-sec/2014/q3/650
>>>
>>> I tested it on Debian stable from two days ago and indeed, I
>>> could execute code after a function definition in an environment
>>> variable. A server I updated yesterday evening was not
>>> vulnerable, as the Debian team got a patch released quite fast.
>>>
>>> This effects any server you run any code on, though the remote
>>> code execution attack vector is unlikely for many contemporary
>>> application servers. Read the write up for details about a proof
>>> of concept.
>>>
>>> Good Morning!
>>>
>>> -lee _______________________________________________ Guardian-dev
>>> mailing list
>>>
>>> Post: Guardian-dev at lists.mayfirst.org List info:
>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>
>>> To Unsubscribe Send email to:
>>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit:
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>>>
>>>
>>>
> You are subscribed as: c1.android at niftybox.net
>
>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>
> You are subscribed as: hans at guardianproject.info
>
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
More information about the Guardian-dev
mailing list