[guardian-dev] Update your servers for real
Lee Azzarello
lee at guardianproject.info
Thu Sep 25 20:54:37 EDT 2014
I'm confused. The article you linked is instructions to install dash and
configure a base system to use it as default. Am I misunderstanding
something?
-lee
On Thursday, September 25, 2014, Hans-Christoph Steiner <
hans at guardianproject.info> wrote:
>
> dash is still the default /bin/sh, for speed and security, but you can
> change
> that to bash if you want:
> https://wiki.debian.org/DashAsBinSh
>
> Ubuntu also uses dash by default:
> https://wiki.ubuntu.com/DashAsBinSh
>
> .hc
>
> Lee Azzarello wrote:
> > This output is from a Debian stable base system built with debootstrap
> > and no additional packages installed.
> >
> > root at debian:~# ls -l /bin/sh
> > lrwxrwxrwx 1 root root 4 Jun 17 21:47 /bin/sh -> bash
> >
> > I don't think Debian has used Dash since Sarge.
> >
> > -lee
> >
> > On 9/25/14, 1:36 PM, Dev Random wrote:
> >> This seems mitigated by the fact that /bin/sh is -> dash on debian.
> >> So unless something does explicitly #!/bin/bash, things should be
> >> okay.
> >
> >> BTW, there's a related vuln that's not fixed yet - CVE-2014-7169
> >> https://news.ycombinator.com/item?id=8365158
> >
> >> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:
> >>> A remote code execution bug was found in the GNU Bash shell.
> >>>
> >>> http://seclists.org/oss-sec/2014/q3/650
> >>>
> >>> I tested it on Debian stable from two days ago and indeed, I
> >>> could execute code after a function definition in an environment
> >>> variable. A server I updated yesterday evening was not
> >>> vulnerable, as the Debian team got a patch released quite fast.
> >>>
> >>> This effects any server you run any code on, though the remote
> >>> code execution attack vector is unlikely for many contemporary
> >>> application servers. Read the write up for details about a proof
> >>> of concept.
> >>>
> >>> Good Morning!
> >>>
> >>> -lee _______________________________________________ Guardian-dev
> >>> mailing list
> >>>
> >>> Post: Guardian-dev at lists.mayfirst.org <javascript:;> List info:
> >>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> >>>
> >>> To Unsubscribe Send email to:
> >>> Guardian-dev-unsubscribe at lists.mayfirst.org <javascript:;> Or visit:
> >>>
> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
> >>>
> >>>
> >>>
> > You are subscribed as: c1.android at niftybox.net <javascript:;>
> >
> >
> > _______________________________________________
> > Guardian-dev mailing list
> >
> > Post: Guardian-dev at lists.mayfirst.org <javascript:;>
> > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> >
> > To Unsubscribe
> > Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> <javascript:;>
> > Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
> >
> > You are subscribed as: hans at guardianproject.info <javascript:;>
> >
>
> --
> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org <javascript:;>
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> <javascript:;>
> Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>
> You are subscribed as: lee at guardianproject.info <javascript:;>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140925/a740b246/attachment.html>
More information about the Guardian-dev
mailing list