I'm confused. The article you linked is instructions to install dash and configure a base system to use it as default. Am I misunderstanding something?
-lee On Thursday, September 25, 2014, Hans-Christoph Steiner < [email protected]> wrote: > > dash is still the default /bin/sh, for speed and security, but you can > change > that to bash if you want: > https://wiki.debian.org/DashAsBinSh > > Ubuntu also uses dash by default: > https://wiki.ubuntu.com/DashAsBinSh > > .hc > > Lee Azzarello wrote: > > This output is from a Debian stable base system built with debootstrap > > and no additional packages installed. > > > > root@debian:~# ls -l /bin/sh > > lrwxrwxrwx 1 root root 4 Jun 17 21:47 /bin/sh -> bash > > > > I don't think Debian has used Dash since Sarge. > > > > -lee > > > > On 9/25/14, 1:36 PM, Dev Random wrote: > >> This seems mitigated by the fact that /bin/sh is -> dash on debian. > >> So unless something does explicitly #!/bin/bash, things should be > >> okay. > > > >> BTW, there's a related vuln that's not fixed yet - CVE-2014-7169 > >> https://news.ycombinator.com/item?id=8365158 > > > >> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote: > >>> A remote code execution bug was found in the GNU Bash shell. > >>> > >>> http://seclists.org/oss-sec/2014/q3/650 > >>> > >>> I tested it on Debian stable from two days ago and indeed, I > >>> could execute code after a function definition in an environment > >>> variable. A server I updated yesterday evening was not > >>> vulnerable, as the Debian team got a patch released quite fast. > >>> > >>> This effects any server you run any code on, though the remote > >>> code execution attack vector is unlikely for many contemporary > >>> application servers. Read the write up for details about a proof > >>> of concept. > >>> > >>> Good Morning! > >>> > >>> -lee _______________________________________________ Guardian-dev > >>> mailing list > >>> > >>> Post: [email protected] <javascript:;> List info: > >>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >>> > >>> To Unsubscribe Send email to: > >>> [email protected] <javascript:;> Or visit: > >>> > https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net > >>> > >>> > >>> > > You are subscribed as: [email protected] <javascript:;> > > > > > > _______________________________________________ > > Guardian-dev mailing list > > > > Post: [email protected] <javascript:;> > > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > > > To Unsubscribe > > Send email to: [email protected] > <javascript:;> > > Or visit: > https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info > > > > You are subscribed as: [email protected] <javascript:;> > > > > -- > PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 > _______________________________________________ > Guardian-dev mailing list > > Post: [email protected] <javascript:;> > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To Unsubscribe > Send email to: [email protected] > <javascript:;> > Or visit: > https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info > > You are subscribed as: [email protected] <javascript:;> >
_______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
