Re: [Fedora] Heads up: possible BASH security vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> On Wed, 24 Sep 2014, Patrick O'Callaghan wrote:
>
>>
>> http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
>>
>> From the article:
>>
>> The vulnerability affects versions 1.14 through 4.3 of GNU Bash. [...]
>> To check your system, from a command line, type:
>>
>> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>>
>> If the system is vulnerable, the output will be:
>>
>>        vulnerable
>>         this is a test
>>
>> An unaffected (or patched) system will output:
>>
>> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>>         bash: warning: x: ignoring function definition attempt
>>         bash: error importing function definition for `x'
>>         this is a test
>>
>> I tried it and got the positive (vulnerable) result.
>>
>> Can we assume a patched version of Bash will be released shortly?
>>
>> poc

On 25 September 2014 08:55, Walter Cazzola <cazzola@xxxxxxxxxxx> wrote:
> Dear Experts,
> I was wondering if it could be a good workaround to link /bin/sh to tcsh
> instead of bash. I'm not using bash at all but probably something in the
> system is so do you know some contraindication on a system with apache
> and SVN servers?
>

I'd have thought tcsh and bash semantics were sufficiently different
this would break things (with the exception of cases where the shell
is simply being used to launch a command). Dash (as in Debian and
Ubuntu) might be a better replacement, though /bin/sh scripts that
relied on bash features would still break. You would still not have
any protection for CGI scripts that specify bash as the interpreter.
Disabling CGI if you don't need it would probably be the best
protection, not familiar enough with mod_dav_svn to say for sure
though.

-- 
imalone
http://ibmalone.blogspot.co.uk
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux