Date: Fri, 3 Oct 2014 22:30:59 +0100 From: Stephane Chazelas <stephane.chazelas@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) 2014-10-03 14:48:19 -0500, Kobrin, Eric: > I've found the shellshock vulnerable code in archives claiming to contain bash 1.05, which also claim to be from 1990 or 1989. > I was unable to find the source for anything claiming older than 1.05. [...] Sorry, I said in the other email that it was not in 1.12. That's my memory failing. I remember checking that it was not in 1.05 and it was, which is even more than my memory failing. Chet did tell me that it was added in 1.13 though. I've now found 1.12 (ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z) and it was there indeed and the ChangeLog also in 1.05 has: Sat Aug 5 08:32:05 1989 Brian Fox (bfox at aurel) * variables.c: make_var_array (), initialize_shell_variables () Added exporting of functions. And: Fri Sep 1 18:52:08 1989 Brian Fox (bfox at aurel) [...] * I update this too irregularly. Released 1.03. So the feature has indeed been there for over a quarter of a century since 1.03, and Chet and I have spread misconceptions by saying that it was added circa 1993. -- Stephane
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.