Bash vulnerability CVE-2014-6271 is reported as fixed in version 4.3-11 on Debian Jessie. On a Debian Jessie server, I executed the command bash --version and it said the version is 4.3.30. Is this server vulnerable to the CVE-2014-6271? Which release came first, 4.3.30 or 4.3-11? How do I tell?
Specifically, I don't understand the release naming convention and the significance of "-" vs ".".
4.3.30 is a version of bash.
4.3-11 is the version of the bash Debian package in Jessie that was created based on bash 4.3.
So bash 4.3.30 is newer than bash in Debian package 4.3-11.
Part of the version after the dash (-) is called debian_revision
From the Debian Policy Manual:
The version number of a package. The format is:
[epoch:]upstream_version[-debian_revision].upstream_version
This is the main part of the version number. It is usually the version number of the original (“upstream”) package from which the .deb file has been made, if this is applicable. Usually this will be in the same format as that specified by the upstream author(s); however, it may need to be reformatted to fit into the package management system’s format and comparison scheme.
debian_revision
This part of the version number specifies the version of the Debian package based on the upstream version. It may contain only alphanumerics and the characters + . ~ (plus, full stop, tilde) and is compared in the same way as the upstream_version is. It is optional;
The package management system will break the version number apart at the last hyphen in the string (if there is one) to determine the upstream_version and debian_revision. The absence of a debian_revision is equivalent to a debian_revision of 0.