On 26 Sep 2014 at 15:06, Gary Stainburn wrote: From: Gary Stainburn <gary.stainburn@xxxxxxxxxxxxxx> Organization: Ringways Garages Ltd To: users@xxxxxxxxxxxxxxxxxxxxxxx Subject: Re: shellshock - detect in Apache? Date sent: Fri, 26 Sep 2014 15:06:23 +0100 Send reply to: Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx> > On Friday 26 September 2014 14:05:01 Michael D. Setzer II wrote: > > I download the > > ftp://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz > > and the patches in > > ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/ > > > > Installed the 25 patches and then build the code. > > Running the test on that version of bash passes the test. > > > > Don't know if there would be any issues with then replacing the older bash > > on a system with the newly build one, but that didn't take much time to > > build. > > Tried this and it appears that this version of BASH is still vulnerable > > [root@test bash-4.3]# ./bash > [root@test bash-4.3]# echo $BASH_VERSION > 4.3.25(1)-release > [root@test bash-4.3]# env x='() { :;}; echo vulnerable' bash -c "echo this is > a test" > vulnerable > this is a test > [root@test bash-4.3]# Problem is you are still running the old bash bash -c should be ./bash -c The only issue that I see is that the make install isn't replacing the /bin/bash, but is putting the new bash in /usr/local/bin/bash Tried to copy bash to the /bin, but it seems to be in use? But after the make install, it did work. On one system, I needed to restart to get it to take affect, but have only check a two systems with older versions of Fedora. > -- > users mailing list > users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe or change subscription options: > https://admin.fedoraproject.org/mailman/listinfo/users > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org +----------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor Guam Community College Computer Center mailto:mikes@xxxxxxxxxxxxxxxx mailto:msetzerii@xxxxxxxxx http://www.guam.net/home/mikes Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +----------------------------------------------------------+ http://setiathome.berkeley.edu (Original) Number of Seti Units Returned: 19,471 Processing time: 32 years, 290 days, 12 hours, 58 minutes (Total Hours: 287,489) BOINC@HOME CREDITS ROSETTA 19981840.971965 | SETI 33950436.647387 ABC 16613838.513356 | EINSTEIN 34233765.925899 -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
