Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

2014-09-26 Thread The Wanderer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09/25/2014 at 11:16 AM, The Wanderer wrote: > On 09/24/2014 at 04:52 PM, Steve Litt wrote: > >> Hi everyone, > >> Bash Code Injection Vulnerability via Specially Crafted >> Environment Variables (CVE-2014-6271) >

Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

2014-09-25 Thread Joe Loiacono
Brian wrote on 09/25/2014 02:08:15 PM: > From: Brian > To: debian-user@lists.debian.org > Date: 09/25/2014 02:08 PM > Subject: Re: Bash Code Injection Vulnerability via Specially Crafted > Environment Variables (CVE-2014-6271) > > On Thu 25 Sep 2014 at 13:59:40 -040

Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

2014-09-25 Thread Mike McGinn
On Thursday, September 25, 2014 13:59:40 Joe Loiacono wrote: > By default I have seemingly assumed sysadmin duties for a host running > Debian 6.0.7 (squeeze). So (not having done a lot of this before) ... > > > 1) the system bash is vulnerable > > > env x='() { :;}; echo vulnerable' bash -c "

Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

2014-09-25 Thread Brian
On Thu 25 Sep 2014 at 13:59:40 -0400, Joe Loiacono wrote: > By default I have seemingly assumed sysadmin duties for a host running > Debian 6.0.7 (squeeze). So (not having done a lot of this before) ... https://wiki.debian.org/LTS/Using https://wiki.debian.org/LTS https://wiki.debian.org/LTS/FAQ

Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

2014-09-25 Thread Joe Loiacono
By default I have seemingly assumed sysadmin duties for a host running Debian 6.0.7 (squeeze). So (not having done a lot of this before) ... 1) the system bash is vulnerable > env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test 2) bash is version 4.1.5 h

Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

2014-09-25 Thread The Wanderer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09/24/2014 at 04:52 PM, Steve Litt wrote: > Hi everyone, > > Bash Code Injection Vulnerability via Specially Crafted > Environment Variables (CVE-2014-6271) > > https://access.redhat.com/articles/1200223 > > My

Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

2014-09-25 Thread Gokan Atmaca
Hello This weakness than is sufficient to protect them do as follows. apt-get update and apt-get install --only-package bash On Thu, Sep 25, 2014 at 10:18 AM, Håkon Alstadheim wrote: > According to > : > Red Hat h

Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271

2014-09-25 Thread Jonathan Dowland
On Wed, Sep 24, 2014 at 04:25:58PM -0500, John Hasler wrote: > Mailing list: debian-security-annou...@lists.debian.org > > You should be subscribed. I'd just like to re-iterate this. *EVERY* debian user should subscribe to that list. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian

Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

2014-09-25 Thread Håkon Alstadheim
According to : Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnera

Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

2014-09-24 Thread Brian
On Wed 24 Sep 2014 at 16:52:50 -0400, Steve Litt wrote: > Bash Code Injection Vulnerability via Specially Crafted Environment > Variables (CVE-2014-6271) > > https://access.redhat.com/articles/1200223 [Snip] Nearly 50 minutes before your mail we had: To: debian-user@lists.debia

Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271

2014-09-24 Thread Steve Litt
On Wed, 24 Sep 2014 16:25:58 -0500 John Hasler wrote: [snip] > Package: bash > CVE ID : CVE-2014-6271 > > Stephane Chazelas discovered a vulnerability in bash, [snip] > For the stable distribution (wheezy), this problem has been fixed in > version 4.2+dfsg-0.1+deb7u1. [snip]

Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271

2014-09-24 Thread John Hasler
- Debian Security Advisory DSA-3032-1 secur...@debian.org http://www.debian.org/security/Florian Weimer September 24, 2014 http://www.debian.org/security/faq ---

Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

2014-09-24 Thread Iain M Conochie
On 24/09/14 21:52, Steve Litt wrote: Hi everyone, Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/articles/1200223 My current Debian setup is vulnerable, as shown below

Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)

2014-09-24 Thread Steve Litt
Hi everyone, Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/articles/1200223 My current Debian setup is vulnerable, as shown below: == slitt@mydesq2:~$ env x='() { :;}; \