<snipped historical discussion of bash bug> None of yesterday's fixes are complete (but still use yesterday's patch anyway in the meantime, as it's better than nothing).
bash is STILL vulnerable everywhere, as tracked by this (newer) CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 I'm not currently aware of a patch for the revised issue as of yet. Some folks I know (my employer, for instance) are responding by completely disabling function exports completely, which does the job: https://github.com/akamai/bash/commit/7caac6ee41f645fc21b6e5eddc820151f6e6c43c Note that (as I discovered) the patch above will successfully apply INCORRECTLY to some older versions of bash, unless you also specify --fuzz 1 (fuzz 2, the default, lets it apply). In one version of bash (4.2.something) I patched, the results were BUILDABLE, but completely wrong. Eyeball it after patching to make sure it only excludes the body of a single if statement. Example of the still-existing exploit: $ env X='() { (a)=>\' sh -c "echo date"; cat echo (if the file "echo" exists afterwards, it's vulnerable) Again, as of this time, there is NO released patch for this one yet. -mjc _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
