[mdlug] shellshock - Bash Version not updated after corrective act ion

Brian Brodsky brianbrodsky at ameritech.net
Sat Sep 27 19:42:40 EDT 2014


Gib,

Both Redhat and Ubuntu backport changes as opposed to installing new 
software. You have to look at the packages that are installed to see a 
difference. I updated my desktop this morning. It has Ubuntu 14.04 
installed and is showing the package I have installed is 4.3-7ubuntu1.4. 
Bash itself reports 4.3.11(1):

brian at brian-desktop:~$ COLUMNS=130 dpkg -l bash
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                       Version            Architecture       Description
+++-==========================-==================-==================-==========================================================
ii  bash                       4.3-7ubuntu1.4     amd64              GNU Bourne Again SHell
brian at brian-desktop:~$ bash --version
GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
brian at brian-desktop:~$


Brian

On 09/27/2014 11:52 AM, gib at juno.com wrote:
> I have some systems running Ubuntu.  I keep them up-to-date.
>
> This (9/27/2014) morning I ran the script and found they were not safe.
> I updated
> Here is the method:
> 1. Go to the upper left corner in the main screen and click on the wheel.
> 2. Select the option "About this Computer".
> 3. Click on: "Install Updates".
>
> I see the script now says that it is safe.
> But the version of Bash has not changed.
>
> Here is a before and after shell results:
>
> gib at gib-fourcore:~$ env x='() { :;}; echo -n NOT\ ' bash -c 'echo safe from shellshock'
> NOT safe from shellshock
> gib at gib-fourcore:~$ /bin/bash -version
> GNU bash, version 4.3.11(1)-release (i686-pc-linux-gnu)
> Copyright (C) 2013 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>
> This is free software; you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> gib at gib-fourcore:~$ /bin/bash -version
> GNU bash, version 4.3.11(1)-release (i686-pc-linux-gnu)
> Copyright (C) 2013 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>
> This is free software; you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> gib at gib-fourcore:~$ env x='() { :;}; echo -n NOT\ ' bash -c 'echo safe from shellshock'
> safe from shellshock
> gib at gib-fourcore:~$
>
>
> ---------- Original Message ----------
> From: "Carl T. Miller" <carl at carltm.com>
> To: "MDLUG's Main discussion list" <mdlug at mdlug.org>
> Subject: Re: [mdlug] shellshock
> Date: Sat, 27 Sep 2014 06:39:45 -0400
>
> Garry Stahl wrote:
>> On 09/26/2014 02:30 PM, Carl T. Miller wrote:
>>> env x='() { :;}; echo -n NOT\ ' bash -c 'echo safe from shellshock'
>> Is this the result you are suppose to get?  I ran updates last night
>> before I even saw the news.
>>
>> bash: warning: x: ignoring function definition attempt
>> bash: error importing function definition for `x'
>> safe from shellshock
> Yes, you can ignore the first two lines that are errors,
> and it says "safe from shellshock".  You're good.
>
> c
>
>
> _______________________________________________
> mdlug mailing list
> mdlug at mdlug.org
> http://mdlug.org/mailman/listinfo/mdlug
>
> ____________________________________________________________
> Map Your Flood Risk
> Find Floodplan Maps, Facts, FAQs, Your Flood Risk Profile and More!
> http://thirdpartyoffers.juno.com/TGL3131/5426dd9443e125d9364a4st02vuc
> _______________________________________________
> mdlug mailing list
> mdlug at mdlug.org
> http://mdlug.org/mailman/listinfo/mdlug



More information about the mdlug mailing list