Re: [44net] Shellshock

The first patch to bash fixed for the initial tests. Here is a test for the initial patched bash that showed another problem... env X='() { (a)=>\' sh -c "echo date"; cat echo Prints the date if there is trouble. Debian updated the stable distrib this morning to catch the new exploit. Unfortunately there seems to be even more trouble coming: http://tinyurl.com/mzvcgbc If you are running debian stable the default shell is dash which is safe but if you upgraded from an older release in stages (say etch->squeeze->wheezy) you may not be using dash. ls -l /bin/sh Check to see where the symlink points to. to "fix" make sure dash is installed: sudo apt-get install dash then use the /etc/alternatives method to set it as the default: sudo update-alternatives --install /bin/sh sh /bin/dash 1 make sure it's set: sudo update-alternatives --config sh Hand check this afterwards: ls -l /bin/sh should return: lrwxrwxrwx 1 root root 20 Sep 27 00:15 /bin/sh -> /etc/alternatives/sh ls -l /etc/alternatives/sh should return: lrwxrwxrwx 1 root root 9 Sep 27 00:15 /etc/alternatives/sh -> /bin/dash To be safe I restarted my apache server and mail system after the change. Finally check your password file to see if bash is being explictly used: grep bash /etc/passwd If it is, I suggest you edit your password file so it uses /bin/sh after making the changes above. If you are on a non-debian system you should search your vendors configuration to see how to change the default shell. I don't particularily like dash but it's supposed to be safe. If you can't live without the features of bash you can just run it after logging in interactively. Bob (N0QBJ) "Brian <n1uro(a)n1uro.ampr.org> says:" -- /~\ The ASCII | Bob Brose N0QBJ \ / Ribbon Campaign | http://www.qbjnet.com/ X Help cure | mailto:bob@qbjnet.com / \ HTML Email | public key at http://www.qbjnet.com/key.html There are only 10 types of people in the world: Those who understand binary, and those who don't