[Whonix-devel] latest updates not fix all bash bug !
superuser at openmailbox.org
superuser at openmailbox.org
Wed Dec 3 22:45:29 CET 2014
please read that may be serious secure hole
bash ShellShock bug ,
in whonix forum i was read for bash bug that fixed in whonix 9.3 , my
host is fedora 20 with latest updates , my whonix is 9 with latest
updates , so now must be 9.3 + , anyway i was download whonix 9
& sig it with kgpg successfuly , then i was make sudo apt-get update &&
sudo apt-get dist-upgrade on both of guests (today that) , then restart
them & make all tests for bug bash that recomented in that site :
http://serverfault.com/questions/631257/how-to-test-if-my-server-is-vulnerable-to-the-shellshock-bug
success pass to all tests exept one ! & that is this :
The other part of ShellShock check is the CVE-2014-7169 vulnerability
check ensures that the system is protected from the file creation issue.
To test if your version of Bash is vulnerable to CVE-2014-7169, run the
following command:
$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat
/tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014
If your system is vulnerable, the time and date will display and
/tmp/echo will be created.
If your system is not vulnerable, you will see output similar to:
$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat
/tmp/echo
date
cat: /tmp/echo: No such file or directory
so in my terminal the time and date displays after that command , and
that means the latest whonix is
vulnerable in that specific bash bug . I dont know if that test is only
for servers but i think is for regular pcs to.
More information about the Whonix-devel
mailing list