Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 4 Oct 2014 20:34:21 +0100
From: Riot <>
Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote
 code execution through bash)


Bash versions back to 1.13 are all available on ftp.gnu, so not going to
list explicit links for those.

Bash 1.12 came from an this old slackware mirror:

Other old slackware and debian releases from the era: and

The atari bash 1.08 binary we used came from  and was
tested in the steem engine emulator:

The Human68k bash came from
and was tested using the XM6 Pro emulator: with this
disk image to boot:


On 4 October 2014 14:22, Hanno Böck <> wrote:

> Am Sat, 4 Oct 2014 00:19:06 +0100
> schrieb Riot <>:
> > We then worked further back in time, unearthing bash 1.08.2 on an
> > ancient 1991 Atari ST image:
> >  This was also
> > vulnerable.  This version is relevant because the first version of
> > bash ported to linux was bash 1.08 - here's the original post by
> > Linus at the tender age of  advertising his first build of linux on
> > the minix newsgroup in 1991, explicitly mentioning bash 1.08.  This
> > datum told us that shellshock is older than all of linux, which makes
> > for a nice soundbite for the press.
> >
> > Going back further proved very difficult because few archives
> > including these early versions exist anywhere, and by all accounts
> > the early releases were buggy and not particularly portable.  We
> > eventually managed to locate an image for an obscure Japanese
> > Human68k containing bash 1.05.  Here it identifies itself as bash
> > 1.05 X6_19:  The file
> > is dated 12/08/1991... and of course it's vulnerable:
> >
> Can you post the relevant download links to the atari st / 68k images
> and other possibly interesting stuff? Or where they from private
> archives?
> I think independently of current events this might be interesting for
> people digging in IT history, so having them somewhere easy to find
> would be nice.
> --
> Hanno Böck
> mail/jabber:
> GPG: BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.