Bash "shellshock" CVE-2014-6271 CVE-2014-7169

CincinnatiKid · 09-27-2014, 05:18 PM

If you want to know if your version of bash is vulnerable, you can run:

Code:

env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

If the word "vulnerable" appears in the output then you are vulnerable to shellshock.

To update bash to a protected revision, run:

Code:

urpmi --update bash

unSpawn · 09-28-2014, 05:34 AM

See https://www.linuxquestions.org/quest...-a-4175519975/ for more details.

floppywhopper · 09-28-2014, 06:02 PM

I get this

Quote:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

is this OK or not

{BBI}Nexus{BBI} · 09-29-2014, 07:24 AM

Yes that is ok. See here: Shellshocker.net for other tests you can run.

floppywhopper · 09-29-2014, 02:13 PM

thanks

nigelc · 10-06-2014, 05:56 AM

since this bug has been announced i have had 3 updates to the bash shell.

jkerr82508 · 10-07-2014, 10:37 AM

There's one more on the way:
https://bugs.mageia.org/show_bug.cgi?id=14239

Jim

stormi · 10-08-2014, 03:57 AM

If you have installed the recent bash updates, your system is not vulnerable anymore. There was a patch that fixed the issue once and for all, and all those "test" scripts meant to tell if you're vulnerable or not are now obsolete, because they don't demonstrate a vulnerability anymore, they just demonstrate bugs in the parser... But those bugs are not exploitable anymore.

The upcoming update will fix remaining bugs, but it's not a security update (although it has been assigned a CVE because it would be a security issue for those who didn't apply the "make the bug not exploitable" patch).

More information in the bug report linked by Jim above.