http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ I've confirmed that the version of BASH included with 2.15 CU 82 has a vulnerable version of BASH. There are patches available for it.
I can confirm this as well. It appears that 2.15 CU82 is running Bash 3.2.51(1). [root@ipfire bin]# bash --version GNU bash, version 3.2.51(1)-release (i586-pc-linux-gnu) Copyright (C) 2007 Free Software Foundation, Inc. Running a vulnerability test yields the following: [root@ipfire bin]# env X="() { :;} ; echo vulnerable" /bin/sh -c "echo testing" vulnerable testing This is fixed in Bash 3.2.52. Note that the Bash version listed at https://pakfire.ipfire.org/package/bash for IPFire 3 - 4.2.11 - is also vulnerable. This should be patched to 4.2.42.
(In reply to comment #1) > I can confirm this as well. It appears that 2.15 CU82 is running Bash > 3.2.51(1). > > [root@ipfire bin]# bash --version > GNU bash, version 3.2.51(1)-release (i586-pc-linux-gnu) > Copyright (C) 2007 Free Software Foundation, Inc. > > Running a vulnerability test yields the following: > > [root@ipfire bin]# env X="() { :;} ; echo vulnerable" /bin/sh -c "echo > testing" > vulnerable > testing > > This is fixed in Bash 3.2.52. Note that the Bash version listed at > https://pakfire.ipfire.org/package/bash for IPFire 3 - 4.2.11 - is also > vulnerable. This should be patched to 4.2.42. Sorry on that last bit - should be patched to 4.2.48, not 4.2.42.
The patch for 3.2 can be found at http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052. The patch for 4.2 can be found at http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-048. Wish I knew how to build patches for IPFire.
The patch has already been applied yesterday: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=6cda6f906eafb269ea7362343b8af609b3d9ce41 Unfortunately, it does not fix the issue completely and we are waiting for an other fix being developed.
A second patch has been added which will fix CVE-2014-7169: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=e86c70a99f024c5d2973d25577ca2e657ce659db Core Update 83 will be available in the testing repository as soon as possible.
http://planet.ipfire.org/post/ipfire-2-15-core-update-83-is-available-for-testing
bash-4.3-11.ip3 has been pushed to the IPFire 3 testing repository. You can provide feedback for this build here: https://pakfire.ipfire.org/build/800d0983-2ff6-4f59-88ce-62d97ba3aafa
bash-4.3-11.ip3 has been pushed to the IPFire 3 unstable repository. You can provide feedback for this build here: https://pakfire.ipfire.org/build/800d0983-2ff6-4f59-88ce-62d97ba3aafa
weitere Lücken in bash CVE-2014-7186 (redir_stack bug) CVE-2014-7187 CVE-2014-6277 (lcamtuf bug) http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-6271 http://forum.ipfire.org/index.php?topic=11569.msg74966;topicseen#msg74966
bash-4.3-11.ip3 has been pushed to the IPFire 3 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to comment #9) > weitere Lücken in bash > > CVE-2014-7186 (redir_stack bug) > CVE-2014-7187 > CVE-2014-6277 (lcamtuf bug) > > http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-6271 > http://forum.ipfire.org/index.php?topic=11569.msg74966;topicseen#msg74966 Could you please open a new bug report to track the new vulnerabilities as this one should be closed as fixes for CVE-2014-6271 and CVE-2014-7169 have now been shipped.
*** Bug 10638 has been marked as a duplicate of this bug. ***
In the mean time, bash has been updated to version 4.3 on IPFire and all upstream patches have been pulled in: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=ce84ace5bf3b2de70fd437e61ef369e5afd82101 http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=3347f993b67f13aa6776d66ee1819c9558ca202a http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=801dcd70b0ec02566c704ff4f450cc90f6283f60