Hello, I've downloaded the source for bash 4.3 and all patches, patched the source to Patch 25. But according some description I've found (http://heise.de/-2403305 sorry, only in German available), you can test with the command
env x='() { :;}; echo vulnerable' bash -c "echo this is a test" if your bash is vulnerable. But according this test the bash 4.3 with patch 25 seems still vulnerable. I've tried this test with other Linux servers, where the patched bash binaries came from the repositories (Ubuntu, CentOS), where this test now fails. So my question: is bash in this version with patch 25 still vulnerable to CVE-2014-6271? With kind regards, Ralf Configuration Information [Automatically generated, do not change]: Machine: i686 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='i686' -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i686-pc-linux-gnu' -DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -g -O2 uname output: Linux pinie 2.6.18.8-0.3-default #1 SMP Tue Apr 17 08:42:35 UTC 2007 i686 athlon i386 GNU/Linux Machine Type: i686-pc-linux-gnu Bash Version: 4.3 Patch Level: 25 Release Status: release Description: [Detailed description of the problem, suggestion, or complaint.] Repeat-By: [Describe the sequence of events that causes the problem to occur.] Fix: [Description of how to fix the problem. If you don't know a fix for the problem, don't include this section.]