[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bash-2.05b-013 appears to not work
|
From: |
Eric Blake |
|
Subject: |
Re: bash-2.05b-013 appears to not work |
|
Date: |
Thu, 16 Oct 2014 19:59:48 -0600 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 |
On 10/16/2014 03:02 PM, Dave Kalaluhi wrote:
> We have been compiling some of the older versions of bash to fix
> vulnerabilities, and for the most, has been working.
>
> However, when we patch the 013 patch for CVE-2014-7187, and run the
> nested loop, it's still showing as vulnerable.
Exactly HOW are you testing?
>
> Has anyone else had a similiar experience?
Reading the archives, I see other people using an invalid test for
CVE-2014-7187:
https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00137.html
https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00140.html
Remember, a parser bug is not necessarily an exploitable vulnerability.
It is sufficient to know that bash cannot be exploited once you apply
patch 10 (all 6 CVEs were neutralized by that one patch, as well as any
other as-yet-unreported parser bugs).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature