Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 Oct 2014 04:38:15 -0700
From: Jose R R <Jose.r.r@...ztli-it.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshocker - Repository of "Shellshock" Proof of
 Concept Code

Hanno,

< https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >

I've downloaded your bash test script and executed it against a Debian
7 (Wheezy) -patched system (upper image)

as well as a local Debian Sid (unstable) build of bash where I applied
the October 02, 2014, bash43-029 (Bottom image)

< https://pbs.twimg.com/media/BzLfeIICQAA30vb.png:large >

Thus agreeing with Sona: "but I think what most (non-expert) people
need is an explanation for each CVE, a set of test case from some
reliable source (preferably a script that runs all test cases and
shows vulnerable/not-vulnerable status) and a set of patches. So that
they can apply the patches, run the tests and assert that their
systems are not vulnerable to shellshock anymore."

On Sun, Oct 5, 2014 at 3:51 AM, Hanno Böck <hanno@...eck.de> wrote:
> Am Sun, 5 Oct 2014 10:22:06 +0000
> schrieb Sona Sarmadi <sona.sarmadi@...a.com>:
>
>> 3) Do you have a script or summary of all tests in one place like
>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 or
>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck ?
>> Or maybe these are good enough & reliable?
>
> This is my script and I think what it does in the current version is
> the reasonable thing to do:
> It will first test if function importing old style is enabled and if
> yes it will warn about that, if it is disabled or any of the prefixing
> solutions is enabled then it will say so.
>
> All further test outputs for all 6 CVEs depends on that. If the old
> function import is enabled warnings will be shown in red, because then
> people are in real danger. If function importing is disabled or
> prefixed the warnings will look less scary and clearly state
> "non-explitable".
>
> I think this is reasonable. I regret that previous versions of my
> script showed a  more scary output even if people weren't really in any
> danger because prefixing was already enabled.It was even
> referenced in a number of inaccurate media reports.
>
>
>
> --
> Hanno Böck
> http://hboeck.de/
>
> mail/jabber: hanno@...eck.de
> GPG: BBB51E42

Best Professional Regards.

-- 
Jose R R
http://www.metztli-it.com
---------------------------------------------------------------------------------------------
NEW Apache OpenOffice 4.1.1! Download for GNU/Linux, Mac OS, Windows.
---------------------------------------------------------------------------------------------
Daylight Saving Time in USA & Canada ends: Sunday, November 02, 2014
---------------------------------------------------------------------------------------------

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ