On 9/25/14 6:23 AM, Vladimir Mosgalin wrote:
Hi John Rowe!
On 2014.09.25 at 10:26:53 +0100, John Rowe wrote next:
On Thu, 2014-09-25 at 09:16 +0000, Werf, C.G. van der (Carel) wrote:
Yesterday a lot of yum-updates ran to update to the latest bash-versions.
Though my /bin/bash was changed last night, and yum.log shows 3.2.33 should
have installed,
# /bin/bash --version still shows 3.2.25
Ofcourse, also # strings /bin/bash shows old version number.
Is this a policy NOT to change version-numbers ?
It's worth pointing out that there has just been a serious (and possibly
remote!) bash vulnerability which this fixes.
A test is:
env X="() { :;} ; echo vulnerable" /bin/bash -c "echo completed"
The only problem is that vulnerability is not yet fixed:
https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c24
We need to wait for further fixes
From: https://access.redhat.com/articles/1200223
Red Hat advises customers to upgrade to the version of bash which
contains the fix for CVE-2014-6271 and not wait for the patch which
fixes CVE-2014-7169. CVE-2014-7169 is a less severe issue and patches
for it are being worked on.
--
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab | High Energy Physics Group
1110 W. Green St., Urbana, IL | Physics Dept., Univ. of Ill.
MailTo:[email protected] | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
"Information without accountability is just noise." - P.L. Nelson
