bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bash-3.1, Shellshock issue, specially CVE-2014-7187.


From: Eric Blake
Subject: Re: bash-3.1, Shellshock issue, specially CVE-2014-7187.
Date: Fri, 14 Nov 2014 06:18:06 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0

On 11/13/2014 11:25 PM, address@hidden wrote:

>         Does bash-3.1 with patch 23 fix the CVE-2014-7187 already ?

Yes.  Read the list archives. You are running a bogus test (and should
report it to whoever wrote it), as the test you are running is NOT a
test for the CVE vulnerability, but for a particular parser weakness
that only got introduced in newer versions of bash.

This is the DEFINITIVE test if you are vulnerable to Shellshock remote
execution:

f='() { echo vulnerable; }' bash -c f

If it prints "vulnerable", you need to upgrade.  If it prints "bash: f:
command not found", you are secure.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]