LinuxQuestions.org - [SECURITY NOTICE!] Bash 4.3 (shellshock, CVE-2014-6271 and CVE-2014-7169)

- Linux From Scratch (https://www.linuxquestions.org/questions/linux-from-scratch-13/)

- - [SECURITY NOTICE!] Bash 4.3 (shellshock, CVE-2014-6271 and CVE-2014-7169) (https://www.linuxquestions.org/questions/linux-from-scratch-13/%5Bsecurity-notice-%5D-bash-4-3-shellshock-cve-2014-6271-and-cve-2014-7169-a-4175520214/)

ReaperX7

09-26-2014 02:52 PM

[SECURITY NOTICE!] Bash 4.3 (shellshock, CVE-2014-6271 and CVE-2014-7169)

This patch is for all current LFS builds - sysvinit and systemd:

Quote:

There is a critical bug (shellshock, CVE-2014-6271 and CVE-2014-7169) than needs to be fixed in bash. All users should update their current version of bash according to the instructions at:

http://www.linuxfromscratch.org/lfs/...er06/bash.html

http://www.linuxfromscratch.org/lfs/...er06/bash.html

Note1: The suffix in bash-4.3-upstream_fixes-4.patch has changed.

Note2: Older installations of bash versions before 4.3 may also need to also install readline-6.3.

corbis_demon

09-27-2014 08:59 AM

This is good news, but I came across this article which seems to suggests that bash is still vulnerable. But really, is it? Some insight would be helpful.

Keith Hedger

09-28-2014 06:47 AM

If you want to check if your bash is vulnerable try this code:

Code:

keithhedger@LFSStarBug:~-> export x='() { :;}; echo You are vulnerable'

keithhedger@LFSStarBug:~-> bash -c "echo test"

You are vulnerable

test

After updating

Code:

keithhedger@LFSStarBug:~-> export x='() { :;}; echo You are vulnerable'

keithhedger@LFSStarBug:~-> bash -c "echo test"

test

If you are updating to bash-4.3 you also have to update readline to 6.3

All times are GMT -5. The time now is 11:34 AM.