在下载bash-4.3并应用修补程序1到25(来自http://ftp.gnu.org/gnu/bash )之后,编译后的bash版本仍然存在两个潜在的漏洞(如以下文章中所述: https:/ /access.redhat.com/articles/1200223 )
我的问题是:有没有人知道我可以从哪里下载剩余的补丁或从信誉良好的网站下载完整的源代码?
以下是链接文章的相关代码片段:
The versions with only the original CVE-2014-6271 fix applied produce the following output: $ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: error importing function definition for `BASH_FUNC_x()' test The fix for CVE-2014-7169 ensures that the system is protected from the file creation issue. To test if your version of Bash is vulnerable to CVE-2014-7169, run the following command: $ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo bash: x: line 1: syntax error near unexpected token `=' bash: x: line 1: `' bash: error importing function definition for `x' Fri Sep 26 11:49:58 GMT 2014 If your system is vulnerable, the time and date information will be output on the screen and a file called /tmp/echo will be created. If your system is not vulnerable, you will see output similar to: $ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo date cat: /tmp/echo: No such file or directory
针对CVE-2014-7169的修补程序最初是在此处发布的: http : //www.openwall.com/lists/oss-security/2014/09/26/1
后来他们被推送到官方的GNU ftp站点: https : //ftp.gnu.org/gnu/bash/
他们需要在针对CVE-2014-6271的补丁之上应用
你的操作系统是什么? 我只是按照这里的说明,为一个EOL Ubuntu系统,他们工作得很好: http : //ubuntuforums.org/showthread.php?t=2245682&p=13128872#post13128872
我认为3.2版本是32位,4.3是64位,试图确认,现在…
对于Debian和它的衍生产品(Ubuntu / Mint)的用户来说,固定的Bash已经在回购。 要修复它,只需键入apt-get update && apt-get install --only-upgrade bash 。
对于Fedora 20,bash的固定版本也在版本库中。