You're viewing old version number 4. - Current version
Linux Bash security flaw - September 2014
Sep 24, 2014 threads:
- http://www.metafilter.com/143038/Running-a-server-Drop-everything-and-update-it-now
- https://news.ycombinator.com/item?id=8361574
- https://news.ycombinator.com/item?id=8364746
- https://news.ycombinator.com/item?id=8365158
- https://news.ycombinator.com/item?id=8365110
Stories:
- http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html
- http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html
- http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021/
- http://www.zdnet.com/first-attacks-using-shellshock-bash-bug-discovered-7000034044/
To test if machine is vulnerable, execute at the command prompt:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
On my Digital Ocean-hosted Ubuntu server, the system returned:
vulnerable
this is a test
I updated Bash by executing:
sudo apt-get update && sudo apt-get install --only-upgrade bash
Then after executing env x='() { :;}; echo vulnerable' bash -c "echo this is a test" again, the system returned:
bash: warning: badvar: ignoring function definition attempt
bash: error importing function definition for `badvar'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
But as of Sep 24, 2014, the update is only a partial fix.
I tested the servers that host my other sites, and those servers did not show the vulnerability. I would not be able to update those servers, since my accounts exist on shared servers.
From JR's : articles
167 words - 1551 chars
created on
updated on
- #
source
- versions
Related articles
Linux Bash security flaw - September 2014 - Sep 25, 2014