undefined | Better HN

0 pointsdllthomas11y ago0 comments

It's fixed in Debian as well.

0 comments

jvreeland11y ago

only in wheezy (security) right now.

squeeze. jessie and wheezy are still vulnerable.

https://security-tracker.debian.org/tracker/CVE-2014-6271

ars11y ago

squeeze is not supported anymore but you can use squeeze-lts.

It's been uploaded to squeeze-lts but has not reached the mirrors.

You can get it manually from http://incoming.debian.org/debian-buildd/pool/main/b/bash/ if you can't wait.

danielweber11y ago

I've got a Debian VM I maintain for giggles, and just out of masochism I've been running "apt-get update" and "apt-get upgrade" for a while and watching nothing change.. Am I doing something wrong or is the whole process just slow?

    deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
    deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

1 more reply

yebyen11y ago

I am not so sure. Debian sid (i386) with current updates, the example test shows I am still vulnerable. 4.3-9 bash

dllthomasOP11y ago

I ran

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

and got

    vulnerable
    this is a test

so I did

    apt-get update
    apt-get install bash

and now I get

    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test

bash version 4.2.37(1)-release

Edited: Seems like jvreeland has a clearer picture: https://news.ycombinator.com/item?id=8362309

yebyen11y ago

Yeah, I was current yesterday and I'm current today, with both apt-get update and upgrades. Your version number is lower than mine, you must be on either stable or testing.

ii bash 4.3-9 i386 GNU Bourne Again SHell

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

vulnerable this is a test

From the FAQ:

> Does sid have security updates?

Not in the same sense that stable does. If the maintainer of a package fixes a security bug and uploads the package, it'll go into sid by the normal means. If the maintainer doesn't do that, then it won't. The security team only covers stable (and possibly testing... there's a pending issue for that case).

1 more reply

j / k navigate · click thread line to collapse

0 comments

jvreeland11y ago

only in wheezy (security) right now.

squeeze. jessie and wheezy are still vulnerable.

https://security-tracker.debian.org/tracker/CVE-2014-6271

ars11y ago

squeeze is not supported anymore but you can use squeeze-lts.

It's been uploaded to squeeze-lts but has not reached the mirrors.

You can get it manually from http://incoming.debian.org/debian-buildd/pool/main/b/bash/ if you can't wait.

danielweber11y ago

    deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
    deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

1 more reply

yebyen11y ago

I am not so sure. Debian sid (i386) with current updates, the example test shows I am still vulnerable. 4.3-9 bash

dllthomasOP11y ago

I ran

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

and got

    vulnerable
    this is a test

so I did

    apt-get update
    apt-get install bash

and now I get

    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test

bash version 4.2.37(1)-release

Edited: Seems like jvreeland has a clearer picture: https://news.ycombinator.com/item?id=8362309

yebyen11y ago

Yeah, I was current yesterday and I'm current today, with both apt-get update and upgrades. Your version number is lower than mine, you must be on either stable or testing.

ii bash 4.3-9 i386 GNU Bourne Again SHell

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

vulnerable this is a test

From the FAQ:

> Does sid have security updates?

1 more reply

j / k navigate · click thread line to collapse