On 11/13/2014 11:25 PM, yutingkao23@yutingkao23-desktop wrote: > Does bash-3.1 with patch 23 fix the CVE-2014-7187 already ?
Yes. Read the list archives. You are running a bogus test (and should
report it to whoever wrote it), as the test you are running is NOT a
test for the CVE vulnerability, but for a particular parser weakness
that only got introduced in newer versions of bash.
This is the DEFINITIVE test if you are vulnerable to Shellshock remote
execution:
f='() { echo vulnerable; }' bash -c f
If it prints "vulnerable", you need to upgrade. If it prints "bash: f:
command not found", you are secure.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
