Accueil » Trisquel » Tickets
Soumis par ivaylo le jeu, 09/25/2014 - 11:59

Bash security bug

Projet:Trisquel
Version:7.0
Composant:Programs
Catégorie:Rapporter un bogue
Priorité:critical
Attribué:Non assigné
Statut:closed
Description

A bug in GNU Bash had been discovered that allows an attacker to execute arbitrary code.

To test if a system is volunarable execute:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Volunarable system will return

vulnerable
this is a test

Secure system will return:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Debian 7 has already been patched.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

grave_123:
jeu, 09/25/2014 - 12:15

Will we be getting a patch soon?
Anyone know?

Mzee:
jeu, 09/25/2014 - 16:18

There is a related issue: https://trisquel.info/en/issues/12244

david:
jeu, 09/25/2014 - 17:52
Statut:active» fixed

Fixed in package 4.2-2ubuntu2.2+6.0.1trisquel1

Mampir:
jeu, 09/25/2014 - 20:28
Version:6.0» 7.0
Statut:fixed» active

Trisquel 7.0 is still vulnerable

jxself:
sam, 09/27/2014 - 08:10

Trisquel 7 is still in development and is not officially supported at this time. If you wish a stable and secure system please stick with version 6 until 7 is released and official support begins. Otherwise please remember that you are using an unsupported Trisquel version. If you'd like to try it out and help make it better by reporting bugs and such, thanks! However, timely updates for unsupported versions should not be expected.

Legimet:
mar, 09/30/2014 - 21:58

Fixed, please change the bug status.

SirGrant:
mer, 10/15/2014 - 20:13
Statut:active» fixed
quidam:
mer, 10/29/2014 - 20:15
Statut:fixed» closed

Automatically closed -- issue fixed for 2 weeks with no activity.