Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20141003213059.GB4115@chaz.gmail.com>
Date: Fri, 3 Oct 2014 22:30:59 +0100
From: Stephane Chazelas <stephane.chazelas@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote code execution
 through bash)

2014-10-03 14:48:19 -0500, Kobrin, Eric:
> I've found the shellshock vulnerable code in archives claiming to contain bash 1.05, which also claim to be from 1990 or 1989.
> I was unable to find the source for anything claiming older than 1.05.
[...]

Sorry, I said in the other email that it was not in 1.12. That's
my memory failing. I remember checking that it was not in 1.05
and it was, which is even more than my memory failing. Chet did
tell me that it was added in 1.13 though. I've now found 1.12
(ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z)

and it was there indeed and the ChangeLog also in 1.05 has:

Sat Aug  5 08:32:05 1989  Brian Fox  (bfox at aurel)

        * variables.c: make_var_array (), initialize_shell_variables ()
          Added exporting of functions.


And:

Fri Sep  1 18:52:08 1989  Brian Fox  (bfox at aurel)
[...]
        * I update this too irregularly.
          Released 1.03.


So the feature has indeed been there for over a quarter of a
century since 1.03, and Chet and I have spread misconceptions by
saying that it was added circa 1993.

-- 
Stephane

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.