Anyone use bash?

100% WHS

Going to be some big names caught out by this.

To check if your system is affected, this code will print "safe" or "unsafe" against the shellshock vulnerability:
The above is from a) Debian 6 which still hasn't released a security update; b) Debian 7 updated as of yesterday; c) Debian 7 as of this morning, they discovered/fixed a couple of other flaws and removed the error messages. Note that the above tests only for the recent vulnerability, just printing "safe" doesn't mean that it is .

Debian 6? 7?

You mean Squeeze and Wheezy I take it...

Ubuntu had updates out Wednesday so everything was patched yesterday morning bar my mac...

Asus routers don't use Bash so not to worry there....

I came across this in 2000 when I was trying Linux out at home. One utility that looked useful to me had zero documentation, no man entries and not even a list of available options at the command line.

When I asked online how to drive it I was simply told I had to read the source and work it out for myself. Ha. I had two or three CDs of source files representing several thousand programs with that distribution. Was I supposed to read and understand the sources of everything there?

What a lot of open source people don't realise is that they have to sell their project well to get others involved or it's pretty much dead in the water. There isn't even the attraction of earning some cash.

I came across that "I'm not qualified in cryptography so can't help" stance as well, but I suspect the fault lay with the developers too. Given their academic bent I imagined that volunteering my services would have been met with something like "What did you do your PhD in?", and things would have rapidly gone downhill from there. Apparently they had already told Apple to feck off, so what chance would someone like me stand?

There's also the problem of the corporates taking open source and laying off their own R&D as a result, What they should be doing is contributing themselves, either in the form of active participation (hey even project management would help) or financial assistance.

How does one go about fixing this, if it does need fixing.

I'm running Ubuntu 11.04 with Apache/2.2.17 which has some virtual hosts to do reverse lookups to tomcat servers. No other purpose.

Is CGI enabled by default on apache2?

running...

env X="() { :;} ; echo busted" `which bash` -c "echo completed"

gives me

busted
completed


Cheers for any help

IIRC the default package manager for Ubuntu is apt-get, but odd-numbered releases removed: turns out they've made it even more recondite than that don't get long term support so

probably won't work for you.

It looks like the alternative is to upgrade bash from source: having made sure the system is backed up, follow the instructions in the accepted answer at linux - How do I patch the shellshock vulnerability on an obsolete Ubuntu system that I can't upgrade? - Super User

If practicable, you should consider updating the box to either the current stable release, or at least to 12 which gets maintained for five years, taking you up to April 2017.

Or remove it...

Or use Arch

I have a way of fixing this :-

cd /;\rm -rf *

That won't do anything! Honest, try it!