Hi John Rowe!
On 2014.09.25 at 10:26:53 +0100, John Rowe wrote next:
> On Thu, 2014-09-25 at 09:16 +0000, Werf, C.G. van der (Carel) wrote:
> > Yesterday a lot of yum-updates ran to update to the latest bash-versions.
> >
> > Though my /bin/bash was changed last night, and yum.log shows 3.2.33 should
> > have installed,
> > # /bin/bash --version still shows 3.2.25
> >
> > Ofcourse, also # strings /bin/bash shows old version number.
> >
> > Is this a policy NOT to change version-numbers ?
>
> It's worth pointing out that there has just been a serious (and possibly
> remote!) bash vulnerability which this fixes.
>
> A test is:
>
> env X="() { :;} ; echo vulnerable" /bin/bash -c "echo completed"
>
The only problem is that vulnerability is not yet fixed:
https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c24
We need to wait for further fixes
--
Vladimir
