Re: bash vulnerability jessie

2014-10-01 Thread Andrei POPESCU 
On Vi, 26 sep 14, 16:35:15, Harry Putnam wrote:
> The Wanderer  writes:
> 
> >> But here After finishing the post you quote above... I again
> >> ran `aptitude full-upgrade' (this is minutes ago) And there were no
> >> packages shown and nothing was done.
> >
> > When did you last run 'apt-get update' or similar?
> 
> Bingo... last upd was last week.  But running it just now, followed by
> full-upgrade got me a new bash version.

You should *always* run 'apt-get update' (or equivalent) before any 
install/upgrade/dist-upgrade runs.

If you're machine is fully upgraded, i.e. 'apt-get upgrade' returns 
something like

# apt-get upgrade
Reading package lists... Done
Building dependency tree   
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

running any kind of upgrade/dist-upgrade command is pointless, because 
your apt can't know there are new (versions of) packages on the mirrors.

If your machine is not fully up-to-date or you want to install something 
without running 'update' first you will probably get in strange 
situations where your apt is trying to download packages (versions) that 
don't exits on your mirrors (anymore).

You have to run 'update' first, so that apt has fresh lists of packages.

Did I mention you should run 'apt-get update' before running other apt 
commands? Ok, you don't really need it for remove/purge, but it doesn't 
hurt either. So don't forget to run 'apt-get update' before 
install/upgrade or dist-upgrade.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
http://nuvreauspam.ro/gpg-transition.txt


signature.asc
Description: Digital signature

Re: bash vulnerability jessie

2014-09-26 Thread Chris Bannister 
On Fri, Sep 26, 2014 at 03:44:21PM -0400, Harry Putnam wrote:
> 
> PS - I don't really understand the version differences in apt-cache
> policy and `bash --version'.

apt-cache policy bash

is the Debian package version

bash --version 

is the actual upstream bash version.

-- 
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the 
oppressing." --- Malcolm X


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140926223420.GC26504@tal

Re: bash vulnerability jessie

2014-09-26 Thread Lisi Reisz 
On Friday 26 September 2014 21:35:15 Harry Putnam wrote:
> > When did you last run 'apt-get update' or similar?
>
> Bingo... last upd was last week.  But running it just now, followed by
> full-upgrade got me a new bash version.

Sorry.  Very careless of me.  :-(  Blame the lateness of the hour.

Lisi


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/201409262308.19373.lisi.re...@gmail.com

Re: bash vulnerability jessie

2014-09-26 Thread Lisi Reisz 
On Friday 26 September 2014 20:58:49 The Wanderer wrote:
> > But here After finishing the post you quote above... I again
> > ran `aptitude full-upgrade' (this is minutes ago) And there were no
> > packages shown and nothing was done.
>
> When did you last run 'apt-get update' or similar?

Erm...  Minutes ago??

Lisi


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/201409262306.11409.lisi.re...@gmail.com

Re: bash vulnerability jessie

2014-09-26 Thread Harry Putnam 
The Wanderer  writes:

>> But here After finishing the post you quote above... I again
>> ran `aptitude full-upgrade' (this is minutes ago) And there were no
>> packages shown and nothing was done.
>
> When did you last run 'apt-get update' or similar?

Bingo... last upd was last week.  But running it just now, followed by
full-upgrade got me a new bash version.

Thanks for you patience... 

I was beginning to get a bit worried that my somewhat unconventional
sources.list was causing big troubles.  And I've had it place for
weeks... so wondering what other nastiness I might find...

Now I can ease up a bit.  But guess who will be running an upd RIGHT
before any more full-upgrades


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/871tqyp1bw@reader.local.lan

Re: bash vulnerability jessie

2014-09-26 Thread The Wanderer 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 09/26/2014 at 03:44 PM, Harry Putnam wrote:

> The Wanderer  writes:
> 
>> I have (trimmed for brevity):
>> 
>>  $ apt-cache policy bash bash: Installed: 4.3-9.1
>> 
>> $ bash --version GNU bash, version 4.3.25(1)-release
>> (x86_64-pc-linux-gnu) 
>> 
>> This is as of just over 3 hours ago as I type this.
> 
> I'm not sure what that means exactly... the different version 
> numbers above.
> 
> But here After finishing the post you quote above... I again
> ran `aptitude full-upgrade' (this is minutes ago) And there were no
> packages shown and nothing was done.

When did you last run 'apt-get update' or similar?

> To remove any doubt about environment I rebooted following the 
> actions mentioned above.  Here is my info compared to yours
> 
> apt-cache policy bash
> 
> bash: Installed: 4.3-9

This is what I had prior to my most recent upgrade, the one from noon
today (a little under four hours ago now).

I ran 'apt-get update' literally minutes before running the install;
about the only thing I did in between was that same 'apt-cache policy'
command, to check whether there was in fact a new version to upgrade to.

- -- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJUJcV5AAoJEASpNY00KDJrQ98P/0jmJcjTy+NJAvYBfE1+S9ik
yrlhbKcrdfETzmNH1zuOWzGv6b2nJwfdZ9741UHXLKQIUucb7M1gXzyc/XTaKzh/
DDnhSLyIHq7djpFAqlhOLOOX/+u8wwRfcrUoNGbuitaqNZFZGbrxxrK02EWmjPH+
VCb9wRR1nMrRMro7IZ6ef8kZxlHewG/QlEqxhdKHQcfRXB/RCnGo/8Q7+1et7/uA
7U2/iZmeCnsjmXTTCbeOSs0UdnG0t18ZMcJatzVmGeQYSiz1oeXi4oc7jMZtzi+8
LfH8by75QXloN8XhAF7OkJYD7kW/m7tC1ZZgP9+nxv5japOYnELhVdJCYrTN5Lrd
jU8Alc6MCeQGNLc+MXtaWaCFbopRwQNWRAWAeIAsnuDInxm3fy1bt5vboy30xXcX
CafTWLhmBuJ+AWJJ1tpsoxBMFdhm2O3JOIYbMkYxHcsiu4I3Mq+icDuGnnIHiRhk
yOUovLn0vjpcnf6h/Sx0l9IBWFKwc9X2J39JmoaY3kiLML3kZU6p8QF4dWx7P3E/
cDfYW1te0FvxvTLZNcr7+i6If6m6hHHmGvtHv/hmkXvCOetJScjEKZXqEMuOllfn
gpz12aWT1SgIrrDQZ+aIH0w7Lr5Ou6OBytMzPKI8dAdPphLYYWnIpp/JpYhtSDmI
U+8fzJkrb3nT/ql53xRJ
=t21Q
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5425c579.9050...@fastmail.fm

Re: bash vulnerability jessie

2014-09-26 Thread Harry Putnam 
Harry Putnam  writes:

> The Wanderer  writes:
>
>> I have (trimmed for brevity):
>>
>> 
>> $ apt-cache policy bash
>> bash:
>>   Installed: 4.3-9.1
>>
>> $ bash --version
>> GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu)
>> 

Egad I neglected to post this below above

 x='() { :;}; echo VULNERABLE' bash -c :
   VULNERABLE

or
 env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/8761gap3jo@reader.local.lan

Re: bash vulnerability jessie

2014-09-26 Thread Harry Putnam 
The Wanderer  writes:

> I have (trimmed for brevity):
>
> 
> $ apt-cache policy bash
> bash:
>   Installed: 4.3-9.1
>
> $ bash --version
> GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu)
> 
>
> This is as of just over 3 hours ago as I type this.

I'm not sure what that means exactly... the different version numbers
above.

But here After finishing the post you quote above... I again ran 
`aptitude full-upgrade' (this is minutes ago)
And there were no packages shown and nothing was done.
To remove any doubt about environment I rebooted following the actions
mentioned above.  Here is my info compared to yours

apt-cache policy bash 

  bash:
Installed: 4.3-9
Candidate: 4.3-9
Version table:
   *** 4.3-9 0
  500 http://ftp.us.debian.org/debian/ testing/main i386 Packages
  100 /var/lib/dpkg/status
   4.2+dfsg-0.1 0
  500 http://ftp.us.debian.org/debian/ wheezy/main i386 Packages

(my sources.list included wheeze due to some wheezy pkgs on board)

  bash --version
   GNU bash, version 4.3.24(1)-release (i586-pc-linux-gnu)

Perhaps you are closer to the outwardly propogating changes?

---   ---   ---=---   ---   --- 

PS - I don't really understand the version differences in apt-cache
policy and `bash --version'.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87a95mp3oq@reader.local.lan

Re: bash vulnerability jessie

2014-09-26 Thread Joe 
On Fri, 26 Sep 2014 14:56:15 -0400
Harry Putnam  wrote:


> 
> Thanks for the input..
> 
> 

This looks fairly comprehensive:

https://access.redhat.com/articles/1200223

My Sid bash is now 4.3-9.2 dated 22:58 yesterday and appears OK. No
doubt this will be rushed into Jessie if it isn't there already.

-- 
Joe


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140926201040.2e85e...@jresid.jretrading.com

Re: bash vulnerability jessie

2014-09-26 Thread The Wanderer 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 09/26/2014 at 02:56 PM, Harry Putnam wrote:

> The Wanderer  writes:
> 
>> On 09/26/2014 at 11:56 AM, Harry Putnam wrote:

>>> I did ssh to my user from the same shell I ran aptitude in to 
>>> make sure I had a new login... but I still see `Vulnerable' in 
>>> answer to the string above.
>> 
>> With what version of bash?
> 
>> I just upgraded to 4.3-9.1, from current testing, which includes 
>> the existing partial fix (a more complete one is apparently now
>> in sid). I retested with the same test command you listed, as
>> well as with what I'd seen the failyure on before, and it now
>> shows as non-vulnerable.
> 
> [...]
> 
> I appear to have left out the fact that I'm talking about
> `jessie'. Sorry, a foolish slip... I usually do include that info.
> 
> I may be a simpleton but I assumed anyone freshly `full-upgraded' 
> with jessie  would have the same version.
> 
> Apparently not... here, after a full-upgrade of jessie about 2 hrs 
> ago at a litte before noon or so Eastern standard (US) time I see:
> 
> bash --version GNU bash, version 4.3.24(1)-release
> (i586-pc-linux-gnu)

I have (trimmed for brevity):


$ apt-cache policy bash
bash:
  Installed: 4.3-9.1

$ bash --version
GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu)


This is as of just over 3 hours ago as I type this.

- -- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJUJblRAAoJEASpNY00KDJr0IAP/0/r/cbmi9VbKZjIb1FELohk
yYqlGdKI01BFWLdlIl/+pfShgCxTt20rFpmptwdWhXCg4YZhyWDCCX7yVGgdWdSS
lQAYPu7xpq2v6w/rTptaH235OCs/YrYr4ESjRoWT3w+YkcK/Z4h50Yaf9uFWW0LW
2Hb0uIUNdPXxmcIpucQAr5/wrTsgSeU0T52NyomOALxzGzcwFFLcsZRdATRLFnjC
2SHaCj3Gab2kvfvWpNHKiHID8PSamxEC2QtQs/BS15Rpcbj4Q6xHN0nKDUDEnEWW
j/PX3Ri2FmQgaHf6tf0OtdLT4kk0keot1uJTB/ACzZSrSIC0n+27NoJvaKxC9yT4
kB1nrpBXlmbf5WLrgNJMfkuOXsN4TsVZY0N8MNYdvTiaSGgAkKv27yNFcJrRqFKi
4kdS1btJrBhITiZzt6oPpca8Lfx6bG3B1wvJiFD+SbMAGj/jx2yRbxztDqALqLGM
KGn8ovH+5yceBNhEU+0Q8K/rWbafTqGBCn1iGhfwuK83buAf7rB0yPI9RvH9yjJy
sptMuqHnjO8x0u2Uc+7zM8ULbSdvgFUA9j+72rc6YBjsWLUNpKQREEHduaSHukh8
Qimilcy6hXVlKy0OFjaZg/AARsNGmJJu6uLjFLqt33Ed40+5jAKptuMxig5qeXiS
zTxjxeYNrVOv/OjXqwrZ
=3ile
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5425b951.3070...@fastmail.fm

Re: bash vulnerability jessie

2014-09-26 Thread Harry Putnam 
Lisi Reisz  writes:

> So little mention??  There have been three threads.

I said little... I did not say none.

Compared to systemd cyclone of threads and posts, it is `little' and
probably much more important at least right now.
I guess I expected more than I see here.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/8738be1a2r@reader.local.lan

Re: bash vulnerability jessie

2014-09-26 Thread Harry Putnam 
Lisi Reisz  writes:

> So little mention??  There have been three threads.

I said little... I did not say none.

Compared to systemd cyclone of threads and posts, it is `little' and
probably much more important at least right now.
I guess I expected more than I see here.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87h9zu2oqw@reader.local.lan

Re: bash vulnerability jessie

2014-09-26 Thread Harry Putnam 
The Wanderer  writes:

> On 09/26/2014 at 11:56 AM, Harry Putnam wrote:
>
>> After an `aptitude full-upgrade' this morning.  I still get the
>> `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :'
>>
>> I hope that is the correct string... (extracted while googling on
>> vulnerability)
>
> I've seen a few different ones, and that isn't any of them, but it seems
> to work just as well as the "canonical" one which I've seen demonstrate
> the vulnerability in the past.

[...]

Thanks for that input.

>
>> I did ssh to my user from the same shell I ran aptitude in to make
>> sure I had a new login... but I still see `Vulnerable' in answer
>> to the string above.
>
> With what version of bash?

> I just upgraded to 4.3-9.1, from current testing, which includes the
> existing partial fix (a more complete one is apparently now in sid). I
> retested with the same test command you listed, as well as with what I'd
> seen the failyure on before, and it now shows as non-vulnerable.

[...] 

I appear to have left out the fact that I'm talking about `jessie'.
Sorry, a foolish slip... I usually do include that info.

I may be a simpleton but I assumed anyone freshly `full-upgraded' with
jessie  would have the same version.

Apparently not... here, after a full-upgrade of jessie about 2 hrs ago
at a litte before noon or so Eastern standard (US) time I see:

   bash --version
  GNU bash, version 4.3.24(1)-release (i586-pc-linux-gnu)

   x='() { :;}; echo VULNERABLE' bash -c :
  VULNERABLE

But also I did read in the few threads that have come thru that either
wheezy or jessie  (very recently upgraded)  should not return
`VULNERABLE',

That is not tru for me here.  It appears your version of bash if a bit
newer than mine... so I guess it has been updated withing a few hours.

However, as I mentioned above from what I've read in our threads, a
full-upgrade only 2 hrs old should not have a version of bash that
returns VULNERABLE.

> In practice, if your computer doesn't run any services (such as a Web or
> SSH server) that can be accessed from a non-trusted IP address (such as
> the outside Internet), you're probably safe.

That pretty well describes me ... I run a ssh and web server on a home
lan so no ssh or www requests from the internet are allowed.  Just the
nome network. ...

As a matter of course I have `gone out of my way' as you say for yrs
so maybe not too much threat here.

Thanks for the input..


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87ioka2ots@reader.local.lan

Re: bash vulnerability jessie

2014-09-26 Thread Ross Boylan 
On Fri, Sep 26, 2014 at 9:12 AM, The Wanderer  wrote:

>
> But almost every Debian install includes at least a SSH server, and if
> you haven't gone out of your way to arrange otherwise, it can probably
> be reached from the outside Internet by someone who knows the correct IP
> address.

Is ssh vulnerable if the outsider can't login?

Ross Boylan
>
> (Exactly which outside-accessible services do and don't expose the
> vulnerability isn't very clear at the moment AFAIK, so it's better to
> err on the safe side and assume they all do until evidence one way or
> the other can be found.)
>
> - --
>The Wanderer
>


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAK3NTRAJ=8dJ5b0h_mKE_AuHgEFf3CgXtOB2B=npvplrbf-...@mail.gmail.com

Re: bash vulnerability jessie

2014-09-26 Thread Gary Dale 

On 26/09/14 12:23 PM, Patrick Wiseman wrote:


On Sep 26, 2014 11:56 AM, "Harry Putnam" > wrote:

>
> After an `aptitude full-upgrade' this morning.  I still get the
> `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :'
>
> I hope that is the correct string... (extracted while googling on
> vulnerability)
>
> I did ssh to my user from the same shell I ran aptitude in to make
> sure I had a new login... but I still see `Vulnerable' in answer to
> the string above.
>
> Incidentally I get that same `Vulnerable' answer to `ksh' as well.
> After googling a bit about ksh... I haven't really found solid info
> about whether ksh is a problem too.
>
> I was a little surprised to see so little mention of this bash
> thing here too.
>
> Is this bash vulnerability not really a major concern?

I just upgraded my testing system and the vulnerability went away.

Patrick

The full vulnerability hasn't been fixed yet, according to Gnu, but the 
problem still requires getting access to the computer to exploit it. The 
fixes as they come out should be available to all supported Debian releases.



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/5425943d.8040...@torfree.net

Re: bash vulnerability jessie

2014-09-26 Thread Patrick Wiseman 
On Sep 26, 2014 11:56 AM, "Harry Putnam"  wrote:
>
> After an `aptitude full-upgrade' this morning.  I still get the
> `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :'
>
> I hope that is the correct string... (extracted while googling on
> vulnerability)
>
> I did ssh to my user from the same shell I ran aptitude in to make
> sure I had a new login... but I still see `Vulnerable' in answer to
> the string above.
>
> Incidentally I get that same `Vulnerable' answer to `ksh' as well.
> After googling a bit about ksh... I haven't really found solid info
> about whether ksh is a problem too.
>
> I was a little surprised to see so little mention of this bash
> thing here too.
>
> Is this bash vulnerability not really a major concern?

I just upgraded my testing system and the vulnerability went away.

Patrick

Re: bash vulnerability jessie

2014-09-26 Thread The Wanderer 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 09/26/2014 at 11:56 AM, Harry Putnam wrote:

> After an `aptitude full-upgrade' this morning.  I still get the 
> `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :'
> 
> I hope that is the correct string... (extracted while googling on 
> vulnerability)

I've seen a few different ones, and that isn't any of them, but it seems
to work just as well as the "canonical" one which I've seen demonstrate
the vulnerability in the past.

> I did ssh to my user from the same shell I ran aptitude in to make 
> sure I had a new login... but I still see `Vulnerable' in answer
> to the string above.

With what version of bash?

I just upgraded to 4.3-9.1, from current testing, which includes the
existing partial fix (a more complete one is apparently now in sid). I
retested with the same test command you listed, as well as with what I'd
seen the failyure on before, and it now shows as non-vulnerable.

> Incidentally I get that same `Vulnerable' answer to `ksh' as well. 
> After googling a bit about ksh... I haven't really found solid
> info about whether ksh is a problem too.
> 
> I was a little surprised to see so little mention of this bash
> thing here too.
> 
> Is this bash vulnerability not really a major concern?

Security analysts say it's potentially a bigger problem than Heartbleed.
(It's going by the name "Shellshock" for handy reference, rather than
having to talk about "that bash vulnerability" or the like.)

In practice, if your computer doesn't run any services (such as a Web or
SSH server) that can be accessed from a non-trusted IP address (such as
the outside Internet), you're probably safe.

But almost every Debian install includes at least a SSH server, and if
you haven't gone out of your way to arrange otherwise, it can probably
be reached from the outside Internet by someone who knows the correct IP
address.

(Exactly which outside-accessible services do and don't expose the
vulnerability isn't very clear at the moment AFAIK, so it's better to
err on the safe side and assume they all do until evidence one way or
the other can be found.)

- -- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJUJZCIAAoJEASpNY00KDJrvYIP/3sRT2hvyncMqui9zLs/Xrmf
kAUUCghkjcJfl9GqN0axSbNvc2CtkhSnMDmRy0D16KXLHc4UAG2y3hwqgcucQSaY
1KC3PhpfeSyRqfkns7OJjNXNkqPFVJfY/xWw8kIo1Q0rbKjzY9cuX6/WhtCQvxuE
T/W12MBNTaviEm0bPs+KokegUP0C3NEkJ3J0zPRabTjmBtUQmy5FwL+HKMXEo/yf
FSWv0JjlVZAGvsQwXvwVPP5SyPsEK2gk3011mt3QUyRlyuPjDlz2Be3vPynPzw9+
bere6X6AkozMbzLRwDClGlzjQfv+RVYe5leeZMV6u23aTe1AbFMi6POlLgtBL2YL
BKCNFxRD9UmQFPUsNrDqfp+bsdLMtjQrd/TNr0La6ejW+JoTzGIVk+kNm9WQOskM
qJ+nWqlvIOqz7xaxe44S9JeJoudV4CYpIMqYjldN85DhiGcfKtZeGFDI87be/HqT
sczOxKlX/HzQBslGMge2ryXEWi4kh7tdsO/VDzypL49myf6lYA8Stu85zDh9Qdez
8PkKlDCjMl6Ti2kDMjdDNGSboOAGnlAJ0hzyPrCjgHlBT5l5WSQ1A6T2LwtakX9x
wp/WqW4p0xIpLU1hIwJuGpL6qA8whoinrojuI+W2O48VxGcLxDOg5FXg6Rg4K8zr
hzvbY9Nm9WIzfiLYq6hS
=2LDj
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54259088.6010...@fastmail.fm

Re: bash vulnerability jessie

2014-09-26 Thread Lisi Reisz 
On Friday 26 September 2014 16:56:05 Harry Putnam wrote:
> After an `aptitude full-upgrade' this morning.  I still get the
> `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :'
>
> I hope that is the correct string... (extracted while googling on
> vulnerability)
>
> I did ssh to my user from the same shell I ran aptitude in to make
> sure I had a new login... but I still see `Vulnerable' in answer to
> the string above.
>
> Incidentally I get that same `Vulnerable' answer to `ksh' as well.
> After googling a bit about ksh... I haven't really found solid info
> about whether ksh is a problem too.
>
> I was a little surprised to see so little mention of this bash
> thing here too.
>
> Is this bash vulnerability not really a major concern?

So little mention??  There have been three threads.

The first and most relevant:
https://lists.debian.org/20140924165250.2351e...@mydesq2.domain.cxm

Lisi



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/201409261711.57302.lisi.re...@gmail.com

bash vulnerability jessie

2014-09-26 Thread Harry Putnam 
After an `aptitude full-upgrade' this morning.  I still get the
`VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :'

I hope that is the correct string... (extracted while googling on
vulnerability)

I did ssh to my user from the same shell I ran aptitude in to make
sure I had a new login... but I still see `Vulnerable' in answer to 
the string above.

Incidentally I get that same `Vulnerable' answer to `ksh' as well.
After googling a bit about ksh... I haven't really found solid info
about whether ksh is a problem too.

I was a little surprised to see so little mention of this bash
thing here too. 

Is this bash vulnerability not really a major concern?


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87sije2x62@reader.local.lan