On 09/25/2014 09:33 AM, ralf.naeg...@she.net wrote: > Hello, > > I've downloaded the source for bash 4.3 and all patches, patched the source > to Patch 25. > But according some description I've found (http://heise.de/-2403305 sorry, > only in German > available), you can test with the command > > env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Are you sure you are testing your just-built bash, and not whatever version of bash happened to be first in your $PATH? > > if your bash is vulnerable. But according this test the bash 4.3 with patch > 25 seems > still vulnerable. I've tried this test with other Linux servers, where the > patched > bash binaries came from the repositories (Ubuntu, CentOS), where this test > now fails. > > So my question: is bash in this version with patch 25 still vulnerable to > CVE-2014-6271? No. Patch 25 is what solves CVE-2014-6271 (but you will still need to wait for Patch 26 before having a solution to the weaker CVE-2014-7169). -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature