Date: Sun, 5 Oct 2014 12:51:24 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Am Sun, 5 Oct 2014 10:22:06 +0000 schrieb Sona Sarmadi <sona.sarmadi@...a.com>: > 3) Do you have a script or summary of all tests in one place like > http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 or > https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck ? > Or maybe these are good enough & reliable? This is my script and I think what it does in the current version is the reasonable thing to do: It will first test if function importing old style is enabled and if yes it will warn about that, if it is disabled or any of the prefixing solutions is enabled then it will say so. All further test outputs for all 6 CVEs depends on that. If the old function import is enabled warnings will be shown in red, because then people are in real danger. If function importing is disabled or prefixed the warnings will look less scary and clearly state "non-explitable". I think this is reasonable. I regret that previous versions of my script showed a more scary output even if people weren't really in any danger because prefixing was already enabled.It was even referenced in a number of inaccurate media reports. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ