[guardian-dev] Update your servers for real

Hans-Christoph Steiner hans at guardianproject.info
Thu Sep 25 21:48:18 EDT 2014


That's for "Lenny users:".  See this section:

Squeeze users:

* Dash is always installed.
* /bin/sh is dash by default (even for upgraded systems).

.hc

Lee Azzarello wrote:
> I'm confused. The article you linked is instructions to install dash and
> configure a base system to use it as default. Am I misunderstanding
> something?
> 
> -lee
> 
> On Thursday, September 25, 2014, Hans-Christoph Steiner <
> hans at guardianproject.info> wrote:
> 
>>
>> dash is still the default /bin/sh, for speed and security, but you can
>> change
>> that to bash if you want:
>> https://wiki.debian.org/DashAsBinSh
>>
>> Ubuntu also uses dash by default:
>> https://wiki.ubuntu.com/DashAsBinSh
>>
>> .hc
>>
>> Lee Azzarello wrote:
>>> This output is from a Debian stable base system built with debootstrap
>>> and no additional packages installed.
>>>
>>> root at debian:~# ls -l /bin/sh
>>> lrwxrwxrwx 1 root root 4 Jun 17 21:47 /bin/sh -> bash
>>>
>>> I don't think Debian has used Dash since Sarge.
>>>
>>> -lee
>>>
>>> On 9/25/14, 1:36 PM, Dev Random wrote:
>>>> This seems mitigated by the fact that /bin/sh is -> dash on debian.
>>>> So unless something does explicitly #!/bin/bash, things should be
>>>> okay.
>>>
>>>> BTW, there's a related vuln that's not fixed yet - CVE-2014-7169
>>>> https://news.ycombinator.com/item?id=8365158
>>>
>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:
>>>>> A remote code execution bug was found in the GNU Bash shell.
>>>>>
>>>>> http://seclists.org/oss-sec/2014/q3/650
>>>>>
>>>>> I tested it on Debian stable from two days ago and indeed, I
>>>>> could execute code after a function definition in an environment
>>>>> variable. A server I updated yesterday evening was not
>>>>> vulnerable, as the Debian team got a patch released quite fast.
>>>>>
>>>>> This effects any server you run any code on, though the remote
>>>>> code execution attack vector is unlikely for many contemporary
>>>>> application servers. Read the write up for details about a proof
>>>>> of concept.
>>>>>
>>>>> Good Morning!
>>>>>
>>>>> -lee _______________________________________________ Guardian-dev
>>>>> mailing list
>>>>>
>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;> List info:
>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>
>>>>> To Unsubscribe Send email to:
>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org <javascript:;> Or visit:
>>>>>
>> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>>>>>
>>>>>
>>>>>
>>> You are subscribed as: c1.android at niftybox.net <javascript:;>
>>>
>>>
>>> _______________________________________________
>>> Guardian-dev mailing list
>>>
>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;>
>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>
>>> To Unsubscribe
>>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>> <javascript:;>
>>>         Or visit:
>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>
>>> You are subscribed as: hans at guardianproject.info <javascript:;>
>>>
>>
>> --
>> PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org <javascript:;>
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>> <javascript:;>
>>         Or visit:
>> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>>
>> You are subscribed as: lee at guardianproject.info <javascript:;>
>>
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81


More information about the Guardian-dev mailing list