Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 Oct 2014 04:38:15 -0700
From: Jose R R <>
Subject: Re: Shellshocker - Repository of "Shellshock" Proof of
 Concept Code


< >

I've downloaded your bash test script and executed it against a Debian
7 (Wheezy) -patched system (upper image)

as well as a local Debian Sid (unstable) build of bash where I applied
the October 02, 2014, bash43-029 (Bottom image)

< >

Thus agreeing with Sona: "but I think what most (non-expert) people
need is an explanation for each CVE, a set of test case from some
reliable source (preferably a script that runs all test cases and
shows vulnerable/not-vulnerable status) and a set of patches. So that
they can apply the patches, run the tests and assert that their
systems are not vulnerable to shellshock anymore."

On Sun, Oct 5, 2014 at 3:51 AM, Hanno Böck <> wrote:
> Am Sun, 5 Oct 2014 10:22:06 +0000
> schrieb Sona Sarmadi <>:
>> 3) Do you have a script or summary of all tests in one place like
>> or
>> ?
>> Or maybe these are good enough & reliable?
> This is my script and I think what it does in the current version is
> the reasonable thing to do:
> It will first test if function importing old style is enabled and if
> yes it will warn about that, if it is disabled or any of the prefixing
> solutions is enabled then it will say so.
> All further test outputs for all 6 CVEs depends on that. If the old
> function import is enabled warnings will be shown in red, because then
> people are in real danger. If function importing is disabled or
> prefixed the warnings will look less scary and clearly state
> "non-explitable".
> I think this is reasonable. I regret that previous versions of my
> script showed a  more scary output even if people weren't really in any
> danger because prefixing was already enabled.It was even
> referenced in a number of inaccurate media reports.
> --
> Hanno Böck
> mail/jabber:
> GPG: BBB51E42

Best Professional Regards.

Jose R R
NEW Apache OpenOffice 4.1.1! Download for GNU/Linux, Mac OS, Windows.
Daylight Saving Time in USA & Canada ends: Sunday, November 02, 2014

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ