Re: bash-3.1, Shellshock issue, specially CVE-2014-7187.

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bash-3.1, Shellshock issue, specially CVE-2014-7187.

From:	Eric Blake
Subject:	Re: bash-3.1, Shellshock issue, specially CVE-2014-7187.
Date:	Fri, 14 Nov 2014 06:18:06 -0700
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0

On 11/13/2014 11:25 PM, yutingkao23@yutingkao23-desktop wrote:

>         Does bash-3.1 with patch 23 fix the CVE-2014-7187 already ?

Yes.  Read the list archives. You are running a bogus test (and should
report it to whoever wrote it), as the test you are running is NOT a
test for the CVE vulnerability, but for a particular parser weakness
that only got introduced in newer versions of bash.

This is the DEFINITIVE test if you are vulnerable to Shellshock remote
execution:

f='() { echo vulnerable; }' bash -c f

If it prints "vulnerable", you need to upgrade.  If it prints "bash: f:
command not found", you are secure.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

bash-3.1, Shellshock issue, specially CVE-2014-7187., yutingkao23, 2014/11/14
- Re: bash-3.1, Shellshock issue, specially CVE-2014-7187., Eric Blake <=
- Re: bash-3.1, Shellshock issue, specially CVE-2014-7187., Chet Ramey, 2014/11/14
- Re: bash-3.1, Shellshock issue, specially CVE-2014-7187., Vettel_Kao高毓廷, 2014/11/17

Prev by Date: Re: set -o notify spurious CR when jobs redirected to file
Next by Date: Re: bash-3.1, Shellshock issue, specially CVE-2014-7187.
Previous by thread: bash-3.1, Shellshock issue, specially CVE-2014-7187.
Next by thread: Re: bash-3.1, Shellshock issue, specially CVE-2014-7187.
Index(es):
- Date
- Thread