Facebook
TwitterHello!
We have Plesk Panel 11.5 in Virtuozzo containers (Centos 6 x86_64) and we often provide to our customers the ssh access with chroot - /usr/local/psa/bin/chrootsh.
All we know about Shellshock Vulnerability and we already installed all fixes to bash, but chrootsh-version is still vulnerable.
Here are the results of BashCheck from http://kb.odin.com/en/123006 under chrooted user:
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
bashcheck: line 15: 19226 Segmentation fault bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)
Do you plan to release updates for chrootsh?
We have Plesk Panel 11.5 in Virtuozzo containers (Centos 6 x86_64) and we often provide to our customers the ssh access with chroot - /usr/local/psa/bin/chrootsh.
All we know about Shellshock Vulnerability and we already installed all fixes to bash, but chrootsh-version is still vulnerable.
Here are the results of BashCheck from http://kb.odin.com/en/123006 under chrooted user:
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
bashcheck: line 15: 19226 Segmentation fault bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)
Do you plan to release updates for chrootsh?
