[Whonix-devel] latest updates not fix all bash bug !

• Next message: [Whonix-devel] latest updates not fix all bash bug !
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

please read that may be serious secure hole

  bash ShellShock bug ,

in whonix forum i was read for bash bug that fixed in whonix 9.3 , my 
host is fedora 20 with latest updates , my whonix is 9 with latest 
updates , so now must be 9.3 + , anyway i was download whonix 9
& sig it with kgpg successfuly , then i was make sudo apt-get update && 
sudo apt-get dist-upgrade on both of guests (today that) , then restart 
them & make all tests for bug bash that recomented in that site :


http://serverfault.com/questions/631257/how-to-test-if-my-server-is-vulnerable-to-the-shellshock-bug



success pass to all tests exept one ! & that is this :



The other part of ShellShock check is the CVE-2014-7169 vulnerability 
check ensures that the system is protected from the file creation issue. 
To test if your version of Bash is vulnerable to CVE-2014-7169, run the 
following command:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat 
/tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014

If your system is vulnerable, the time and date will display and 
/tmp/echo will be created.

If your system is not vulnerable, you will see output similar to:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat 
/tmp/echo
date
cat: /tmp/echo: No such file or directory




so in my terminal  the time and date displays after that command , and 
that means the latest whonix is
vulnerable in that specific bash bug . I dont know if that test is only 
for servers but i think is  for regular pcs to.

• Next message: [Whonix-devel] latest updates not fix all bash bug !
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]