[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271)
|
From: |
Eric Blake |
|
Subject: |
Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271) |
|
Date: |
Thu, 25 Sep 2014 14:52:57 -0600 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 |
On 09/25/2014 09:33 AM, ralf.naegele@she.net wrote:
> Hello,
>
> I've downloaded the source for bash 4.3 and all patches, patched the source
> to Patch 25.
> But according some description I've found (http://heise.de/-2403305 sorry,
> only in German
> available), you can test with the command
>
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Are you sure you are testing your just-built bash, and not whatever
version of bash happened to be first in your $PATH?
>
> if your bash is vulnerable. But according this test the bash 4.3 with patch
> 25 seems
> still vulnerable. I've tried this test with other Linux servers, where the
> patched
> bash binaries came from the repositories (Ubuntu, CentOS), where this test
> now fails.
>
> So my question: is bash in this version with patch 25 still vulnerable to
> CVE-2014-6271?
No. Patch 25 is what solves CVE-2014-6271 (but you will still need to
wait for Patch 26 before having a solution to the weaker CVE-2014-7169).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature