Re: bash vulnerability jessie

On Vi, 26 sep 14, 16:35:15, Harry Putnam wrote: > The Wanderer writes: > > >> But here After finishing the post you quote above... I again > >> ran `aptitude full-upgrade' (this is minutes ago) And there were no > >> packages shown and nothing was done. > > > > When did you last run 'apt-get

Re: bash vulnerability jessie

On Fri, Sep 26, 2014 at 03:44:21PM -0400, Harry Putnam wrote: > > PS - I don't really understand the version differences in apt-cache > policy and `bash --version'. apt-cache policy bash is the Debian package version bash --version is the actual upstream bash version. -- "If you're not care

Re: bash vulnerability jessie

On Friday 26 September 2014 21:35:15 Harry Putnam wrote: > > When did you last run 'apt-get update' or similar? > > Bingo... last upd was last week.  But running it just now, followed by > full-upgrade got me a new bash version. Sorry. Very careless of me. :-( Blame the lateness of the hour. L

Re: bash vulnerability jessie

On Friday 26 September 2014 20:58:49 The Wanderer wrote: > > But here After finishing the post you quote above... I again > > ran `aptitude full-upgrade' (this is minutes ago) And there were no > > packages shown and nothing was done. > > When did you last run 'apt-get update' or similar? Erm.

Re: bash vulnerability jessie

The Wanderer writes: >> But here After finishing the post you quote above... I again >> ran `aptitude full-upgrade' (this is minutes ago) And there were no >> packages shown and nothing was done. > > When did you last run 'apt-get update' or similar? Bingo... last upd was last week. But run

Re: bash vulnerability jessie

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09/26/2014 at 03:44 PM, Harry Putnam wrote: > The Wanderer writes: > >> I have (trimmed for brevity): >> >> $ apt-cache policy bash bash: Installed: 4.3-9.1 >> >> $ bash --version GNU bash, version 4.3.25(1)-release >> (x86_64-pc-lin

Re: bash vulnerability jessie

Harry Putnam writes: > The Wanderer writes: > >> I have (trimmed for brevity): >> >> >> $ apt-cache policy bash >> bash: >> Installed: 4.3-9.1 >> >> $ bash --version >> GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu) >> Egad I neglected to post this below above

Re: bash vulnerability jessie

The Wanderer writes: > I have (trimmed for brevity): > > > $ apt-cache policy bash > bash: > Installed: 4.3-9.1 > > $ bash --version > GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu) > > > This is as of just over 3 hours ago as I type this. I'm not sure what that me

Re: bash vulnerability jessie

On Fri, 26 Sep 2014 14:56:15 -0400 Harry Putnam wrote: > > Thanks for the input.. > > This looks fairly comprehensive: https://access.redhat.com/articles/1200223 My Sid bash is now 4.3-9.2 dated 22:58 yesterday and appears OK. No doubt this will be rushed into Jessie if it isn't there alre

Re: bash vulnerability jessie

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09/26/2014 at 02:56 PM, Harry Putnam wrote: > The Wanderer writes: > >> On 09/26/2014 at 11:56 AM, Harry Putnam wrote: >>> I did ssh to my user from the same shell I ran aptitude in to >>> make sure I had a new login... but I still see `Vulne

Re: bash vulnerability jessie

Lisi Reisz writes: > So little mention?? There have been three threads. I said little... I did not say none. Compared to systemd cyclone of threads and posts, it is `little' and probably much more important at least right now. I guess I expected more than I see here. -- To UNSUBSCRIBE, emai

Re: bash vulnerability jessie

Lisi Reisz writes: > So little mention?? There have been three threads. I said little... I did not say none. Compared to systemd cyclone of threads and posts, it is `little' and probably much more important at least right now. I guess I expected more than I see here. -- To UNSUBSCRIBE, emai

Re: bash vulnerability jessie

The Wanderer writes: > On 09/26/2014 at 11:56 AM, Harry Putnam wrote: > >> After an `aptitude full-upgrade' this morning. I still get the >> `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :' >> >> I hope that is the correct string... (extracted while googling on >> vulnerability)

Re: bash vulnerability jessie

On Fri, Sep 26, 2014 at 9:12 AM, The Wanderer wrote: > > But almost every Debian install includes at least a SSH server, and if > you haven't gone out of your way to arrange otherwise, it can probably > be reached from the outside Internet by someone who knows the correct IP > address. Is ss

Re: bash vulnerability jessie

On 26/09/14 12:23 PM, Patrick Wiseman wrote: On Sep 26, 2014 11:56 AM, "Harry Putnam" > wrote: > > After an `aptitude full-upgrade' this morning. I still get the > `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :' > > I hope that is the correct string.

Re: bash vulnerability jessie

On Sep 26, 2014 11:56 AM, "Harry Putnam" wrote: > > After an `aptitude full-upgrade' this morning. I still get the > `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :' > > I hope that is the correct string... (extracted while googling on > vulnerability) > > I did ssh to my user fro

Re: bash vulnerability jessie

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09/26/2014 at 11:56 AM, Harry Putnam wrote: > After an `aptitude full-upgrade' this morning. I still get the > `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :' > > I hope that is the correct string... (extracted while googling

Re: bash vulnerability jessie

On Friday 26 September 2014 16:56:05 Harry Putnam wrote: > After an `aptitude full-upgrade' this morning. I still get the > `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :' > > I hope that is the correct string... (extracted while googling on > vulnerability) > > I did ssh to my us

bash vulnerability jessie

After an `aptitude full-upgrade' this morning. I still get the `VULNERABLE' answer to `x='() { :;}; echo VULNERABLE' bash -c :' I hope that is the correct string... (extracted while googling on vulnerability) I did ssh to my user from the same shell I ran aptitude in to make sure I had a new log