-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This output is from a Debian stable base system built with debootstrap and no additional packages installed.
root@debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun 17 21:47 /bin/sh -> bash I don't think Debian has used Dash since Sarge. - -lee On 9/25/14, 1:36 PM, Dev Random wrote: > This seems mitigated by the fact that /bin/sh is -> dash on debian. > So unless something does explicitly #!/bin/bash, things should be > okay. > > BTW, there's a related vuln that's not fixed yet - CVE-2014-7169 > https://news.ycombinator.com/item?id=8365158 > > On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote: >> A remote code execution bug was found in the GNU Bash shell. >> >> http://seclists.org/oss-sec/2014/q3/650 >> >> I tested it on Debian stable from two days ago and indeed, I >> could execute code after a function definition in an environment >> variable. A server I updated yesterday evening was not >> vulnerable, as the Debian team got a patch released quite fast. >> >> This effects any server you run any code on, though the remote >> code execution attack vector is unlikely for many contemporary >> application servers. Read the write up for details about a proof >> of concept. >> >> Good Morning! >> >> -lee _______________________________________________ Guardian-dev >> mailing list >> >> Post: [email protected] List info: >> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >> >> To Unsubscribe Send email to: >> [email protected] Or visit: >> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net >> >> >> You are subscribed as: [email protected] > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUJGmYAAoJEKhL9IoSyjdl76oP/1Dy2NF81v0845lPhJdlKRLm HRiy15Ck5Fo7NXogQYMVQuJ44wrMHX1Y9RblGQYddsKT6fdHeO51ytLXqCVn6I6d K1pzpMBEBs5hykma0/kefoCrNRXWscbIT1TEgcpN8E8XCc0jhF9Cb84Gb77Q+ULW j3UCGIRgtSwaprHsehuwfzVSidJfT5clnJCYpEEF4fI8hfYnk7jyUy6CBUCSGLao 2at9n/UAFDk/vG/rcE/KnUesi+wUDMnijE5TsYGUj7H0SuBadB3JbvcxsJmEb5Bm IaoxAJQO+GavJi/LyXnw1t5YJWlcyz6q9yCV2TOZ4pG+2cnYhLmTUrkgADIUHKcu 4R374ciaKe6p8QkXg4EXZeSJq3O/78Im3ZQMn26qG3C2R35pdBDXFwrvR7Zsotz0 OWyg0NHbJKaWM8FLdeF2SYzzPZEnoMg2Nkw6Dih22JnNceydPbmhVM8fwEIgq9lr UOvCaYOJpU8ILeH5aOtVi8GMZUmCSARFQ5GlMu/ohb7b1H1IZwTROfrIVH7JU8L1 awGFhmq3/kCrapehPLRdoZl3YZUXTNH7rHViJ7gbsxcaO4TD9v7hqyyObAl1RQtK XrZTQBCIvSLPMjYL2RyodZHm3aVoxA2cBqYyB8StTJN25/8Bx874va1rI2CVU+WE Q38DjhmOkf4nJWi477Mr =qoLt -----END PGP SIGNATURE----- _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
