[Whonix-devel] latest updates not fix all bash bug !

• Previous message: [Whonix-devel] latest updates not fix all bash bug !
• Next message: [Whonix-devel] git log --pretty="format:%H$t%aN$t%s$t%G?" --show-signature
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

superuser at openmailbox.org wrote:
> please read that may be serious secure hole
> 
>  bash ShellShock bug ,
> 
> in whonix forum i was read for bash bug that fixed in whonix 9.3 , my
> host is fedora 20 with latest updates , my whonix is 9 with latest
> updates , so now must be 9.3 + , anyway i was download whonix 9
> & sig it with kgpg successfuly , then i was make sudo apt-get update &&
> sudo apt-get dist-upgrade on both of guests (today that) , then restart
> them & make all tests for bug bash that recomented in that site :
> 
> http://serverfault.com/questions/631257/how-to-test-if-my-server-is-vulnerable-to-the-shellshock-bug
> 
> 
> success pass to all tests exept one ! & that is this :
> 
> The other part of ShellShock check is the CVE-2014-7169 vulnerability
> check ensures that the system is protected from the file creation issue.
> To test if your version of Bash is vulnerable to CVE-2014-7169, run the
> following command:
> 
> $ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat
> /tmp/echo
> bash: x: line 1: syntax error near unexpected token `='
> bash: x: line 1: `'
> bash: error importing function definition for `x'
> Fri Sep 26 11:49:58 GMT 2014
> 
> If your system is vulnerable, the time and date will display and
> /tmp/echo will be created.
> 
> If your system is not vulnerable, you will see output similar to:
> 
> $ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat
> /tmp/echo
> date
> cat: /tmp/echo: No such file or directory
> 
> so in my terminal  the time and date displays after that command , and
> that means the latest whonix is
> vulnerable in that specific bash bug . I dont know if that test is only
> for servers but i think is  for regular pcs to.

Using Whonix-Workstation 9.4 here. Freshly imported for testing
purposes. Without any updates even. Works for me. Doesn't show date,
doesn't create file /tmp/echo.

If it's fixed by Debian, it should be very strange if it's not updated
on your system. There could be something wrong with your apt sources.

Cheers,
Patrick

• Previous message: [Whonix-devel] latest updates not fix all bash bug !
• Next message: [Whonix-devel] git log --pretty="format:%H$t%aN$t%s$t%G?" --show-signature
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]