更糟的是,利用Bash漏洞的方法更加简单,只要直接剪切和粘贴一行软件代码,就能取得效果。如此低的门槛可能会吸引来更多的黑客进行攻击,这也是安全专家担心的地方。
问题是这行代码是什么?谁能给一下让我测试?
--
-- You received this message because you are subscribed to the Google Groups Shanghai Linux User Group group. To post to this group, send email to sh...@googlegroups.com. To unsubscribe from this group, send email to shlug+un...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/shlug?hl=zh-CN
---
您收到此邮件是因为您订阅了Google网上论坛中的“Shanghai Linux User Group”论坛。
要退订此论坛并停止接收此论坛的电子邮件,请发送电子邮件到shlug+un...@googlegroups.com。
要查看更多选项,请访问https://groups.google.com/d/optout。
There are other services that run on Linux and Unix systems, such as the CUPS printing system, that are similarly dependent on Bash that could be vulnerable.
There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be:
vulnerable this is a test
env X='() { (a)=>\' sh -c "echo date"; cat echo
您收到此邮件是因为您订阅了 Google 网上论坛的“Shanghai Linux User Group”论坛。
要退订此论坛并停止接收此论坛的电子邮件,请发送电子邮件到shlug+un...@googlegroups.com。
要查看更多选项,请访问 https://groups.google.com/d/optout。
>> >>> 要退订此论坛并停止接收此论坛的电子邮件,请发送电子邮件到shlug+unsubscribe@googlegroups.com。
>> >>> 要查看更多选项,请访问https://groups.google.com/d/optout。
>>
>> --
>> -- You received this message because you are subscribed to the Google
>> Groups Shanghai Linux User Group group. To post to this group, send email to
>> sh...@googlegroups.com. To unsubscribe from this group, send email to
>> shlug+un...@googlegroups.com. For more options, visit this group at
>> https://groups.google.com/d/forum/shlug?hl=zh-CN
>> ---
>> 您收到此邮件是因为您订阅了 Google 网上论坛的“Shanghai Linux User Group”论坛。
>> 要退订此论坛并停止接收此论坛的电子邮件,请发送电子邮件到shlug+unsubscribe@googlegroups.com。
>> 要查看更多选项,请访问 https://groups.google.com/d/optout。
>
>
>
>
> --
> 彼節者有間,而刀刃者無厚;以無厚入有間,恢恢乎其於游刃必有餘地矣。
> blog: http://shell909090.org/blog/
> twitter: @shell909090
> about.me: http://about.me/shell909090
>
> --
> -- You received this message because you are subscribed to the Google Groups
> Shanghai Linux User Group group. To post to this group, send email to
> sh...@googlegroups.com. To unsubscribe from this group, send email to
> shlug+un...@googlegroups.com. For more options, visit this group at
> https://groups.google.com/d/forum/shlug?hl=zh-CN
> ---
> 您收到此邮件是因为您订阅了Google网上论坛中的“Shanghai Linux User Group”论坛。
> 要退订此论坛并停止接收此论坛的电子邮件,请发送电子邮件到shlug+unsubscribe@googlegroups.com。
> 要查看更多选项,请访问https://groups.google.com/d/optout。
>
>
> --
> -- You received this message because you are subscribed to the Google Groups
> Shanghai Linux User Group group. To post to this group, send email to
> sh...@googlegroups.com. To unsubscribe from this group, send email to
> shlug+un...@googlegroups.com. For more options, visit this group at
> https://groups.google.com/d/forum/shlug?hl=zh-CN
> ---
> 您收到此邮件是因为您订阅了Google网上论坛中的“Shanghai Linux User Group”论坛。
> 要退订此论坛并停止接收此论坛的电子邮件,请发送电子邮件到shlug+unsubscribe@googlegroups.com。
> 要查看更多选项,请访问https://groups.google.com/d/optout。
If you're running bash
from MacPorts, the update process below gets you a bash version 4.3.25 which has the fix for the vulnerability. This which is useful if you have changed shells to use mac ports bash to get the version 4 features.
It will not solve the issue of standard OS scripts as the have #!/bin/sh
or #!/bin/bash
as the first line. (This sort of issue is why macports tries not to use Apple's supplied versions of programs as macports tends to be updated quicker e.g. it has a newer version of bash)
$ sudo port selfupdate
$ sudo port upgrade bash
Note that this still leaves you with a vulnerable system bash
; you need to update the MacPorts bash
in addition to patching the system bash
as described above.
要退订此论坛并停止接收此论坛的电子邮件,请发送电子邮件到shlug+un...@googlegroups.com。
要查看更多选项,请访问https://groups.google.com/d/optout。
OS X 10.9.5 (the latest stable release at the moment) ships with Bash v3.2.51:
$ bash --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
You can obtain and recompile Bash as follows, providing that you have Xcode installed:
$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
$ cd ..
$ xcodebuild
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ build/Release/bash --version # GNU bash, version 3.2.52(1)-release
$ build/Release/sh --version # GNU bash, version 3.2.52(1)-release
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin
After this, the Bash version should be v3.2.52:
$ bash --version
GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
For security, and after testing, I recommend that you chmod -x
the old versions to ensure they aren't re-used, or move them to a backup site.
$ sudo chmod a-x /bin/bash.old /bin/sh.old
您收到此邮件是因为您订阅了 Google 网上论坛的“Shanghai Linux User Group”论坛。
huang@ubuntu:~/build$ bash --version
GNU bash, version 4.2.25(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
把默认shell换了吧