Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
'Bash' virus?
Any advice to Linux users to defend against 'Bash' virus
Last edited by karlchen on Mon Oct 06, 2014 10:33 am, edited 1 time in total.
Reason: Note: the posts in the thread will be moved into the thread "Main Edition: BASH vulnerability a.k.a. 'Shellshock'" which collects all posts related to the bash security vulnerability.
Reason: Note: the posts in the thread will be moved into the thread "Main Edition: BASH vulnerability a.k.a. 'Shellshock'" which collects all posts related to the bash security vulnerability.
Re: 'Bash' virus?
I don't worry about it. I keep my security updates current, watch what gets downloaded and what gets run. While that doesn’t guarantee safety I have yet to get stung with that approach.
Re: 'Bash' virus?
as stated, stay updated. Also it is not a virus, it's a vulnerability.Jo4 wrote:Any advice to Linux users to defend against 'Bash' virus
Re: 'Bash' virus?
You might like to start by reading this thread: Main Edition: BASH vulnerability a.k.a. 'Shellshock'Jo4 wrote:Any advice to Linux users to defend against 'Bash' virus
And as has already been pointed out: there is no bash virus, rather, unpatched bash versions are vulnerable to a particular kind of attack.
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 771 days now.
Lifeline
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Appologies for not spotting this as a topic already being aired.
Jo
Jo
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Info:
Next round of bash updates for Mint 13 and Mint 17, first thread post updated correspondingly.
Note:
The most recent bash on Mint 13 x64, bash (4.2-2ubuntu2.6), and the most recent bash on Mint 17 x64, bash (4.3-7ubuntu1.5), passed all 7 tests here: What is #shellshock?. Whether this really means that now bash has been fully secured, time will tell ...
Next round of bash updates for Mint 13 and Mint 17, first thread post updated correspondingly.
Note:
The most recent bash on Mint 13 x64, bash (4.2-2ubuntu2.6), and the most recent bash on Mint 17 x64, bash (4.3-7ubuntu1.5), passed all 7 tests here: What is #shellshock?. Whether this really means that now bash has been fully secured, time will tell ...
Last edited by karlchen on Fri Oct 10, 2014 6:13 am, edited 2 times in total.
Reason: by now both tests have been done: on Mint 13 and Mint 17
Reason: by now both tests have been done: on Mint 13 and Mint 17
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 771 days now.
Lifeline
- Spearmint2
- Level 16
- Posts: 6900
- Joined: Sat May 04, 2013 1:41 pm
- Location: Maryland, USA
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Here's what you get if not running a server and are behind a router.
So, no problems here.Warning Are you sure that host exists? We couldn't talk to it. Maybe it timed out? Took longer than 3 seconds to get a reply.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Some nice links showing the problematic of the shellshock bug :
http://blog.cloudflare.com/inside-shellshock/
http://ow.ly/C9FgX (or http://netmonastery.com/en/shellshock-t ... inkposting )
This one’s a must to read : http://www.tripwire.com/state-of-Sucuri ... nt-future/ => … identifying exploit attempts made against Apache targeting Shellshock vulnerabilities….
Of course this whole shellshock saga is only important for those people that have publicly running services such as http,ftp servers.
Most people who use Linux Mint only for local desktop activities ,and have no running open servers are not to be bothered about this.
http://blog.cloudflare.com/inside-shellshock/
http://ow.ly/C9FgX (or http://netmonastery.com/en/shellshock-t ... inkposting )
This one’s a must to read : http://www.tripwire.com/state-of-Sucuri ... nt-future/ => … identifying exploit attempts made against Apache targeting Shellshock vulnerabilities….
Of course this whole shellshock saga is only important for those people that have publicly running services such as http,ftp servers.
Most people who use Linux Mint only for local desktop activities ,and have no running open servers are not to be bothered about this.
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Though there may be no need to panic for most home users, it will not do any harm updating bash to the bugfixed version.ktheking wrote:Of course this whole shellshock saga is only important for those people that have publicly running services such as http,ftp servers.
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 771 days now.
Lifeline
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Wish we'd been told this weeks ago, would have saved a lot of worry!ktheking wrote:
Most people who use Linux Mint only for local desktop activities ,and have no running open servers are not to be bothered about this.
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Well, on the one hand niowluka mentioned
On the other hand spending a few thoughts on securing your system by installing available security patches in a timely fashion will have done no harm.
And last, but not least, now that the vulnerabilities in unpatched bash versions have been made public, who can foretell whether some evil minded, but skilled developers will not find a way of bringing exploits for the vulnerabilities to machines as well which do not run web servers?
on September 25th. (page 1 of our little thread).From the reports in the media the vulnerability existed for a while, there are no known existing exploits and it's the webservers that are most at risk.
On the other hand spending a few thoughts on securing your system by installing available security patches in a timely fashion will have done no harm.
And last, but not least, now that the vulnerabilities in unpatched bash versions have been made public, who can foretell whether some evil minded, but skilled developers will not find a way of bringing exploits for the vulnerabilities to machines as well which do not run web servers?
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 771 days now.
Lifeline
- Pilosopong Tasyo
- Level 6
- Posts: 1432
- Joined: Mon Jun 22, 2009 3:26 am
- Location: Philippines
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Put things in perspective.turtlebay777 wrote:Wish we'd been told this weeks ago, would have saved a lot of worry!
The earliest report in this forum (that I know of) started last September 25th (my time). By the next day, I noticed a trend -- several threads of the same theme were being posted all over the forum (so much for following the first forum rule ). That's when I decided to initially merge all the related threads I could find (at the time I merged 10 similar topics) into this megathread that you're reading right now. The announcement was released and made global. On that same date (the 26th my time), xenopeek added summary information for everyone's perusal. We, forum admins and mods made sure we update the announcement as we get the latest information made available to us.
You may have not noticed it, but if you read the first post in this thread, information about home users who don't run servers exposed to the internet was included. IMSMR, that piece of information was made available within the same day (if not the day after or so) when the announcement was released.
o Give a man a fish and he will eat for a day. Teach him how to fish and he will eat for a lifetime!
o If an issue has been fixed, please edit your first post and add the word [SOLVED].
o If an issue has been fixed, please edit your first post and add the word [SOLVED].
- daveinuk
- Level 7
- Posts: 1559
- Joined: Tue Mar 23, 2010 7:52 pm
- Location: Manchester, England.
- Contact:
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
turtlebay777 wrote:Wish we'd been told this weeks ago, would have saved a lot of worry!ktheking wrote:
Most people who use Linux Mint only for local desktop activities ,and have no running open servers are not to be bothered about this.
Every time an 'issue' like this rears it's head the first question I start asking is 'how does/does this even affect the average desktop user' and in the last 5 years of my use no one has yet told me I have grave concerns that should bother me, I don't fall for the sensationalism that gets through to the Tv and assorted so called 'media', one Linux hiccup every blue moon and it makes the papers and the BBC, as though the only tech news is that open source = scary things to be wary of, yet MS has regular problems that no one ever hears about, online services getting hacked and peoples intimate pictures getting shared worldwide doesn't get as much attention as 1 vulnerability in a long time that got patched even before half of the public had a clue they had something new to 'worry about' while they were eating their branflakes one day . . . . . No, worry is one thing I stopped bothering with when I decided to completely drop MS/Google/Android et al . . . . . .
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
What I don't understand is the message which appears when you try to use apt-get remove bash (or whatever is should read) that bash is an important part of the system and by removing it you risk breaking your system.
Then we are told here that bash is unimportant on most desktop users systems except for those running open servers!
Which one is true?
Then we are told here that bash is unimportant on most desktop users systems except for those running open servers!
Which one is true?
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
No one has ever said bash was unimportant...
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
killer de bug wrote:
No one has ever said bash was unimportant...
This user DID!
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Post by ktheking on Fri Oct 10, 2014 1:43 pm
http://forums.linuxmint.com/viewtopic.p ... 93#p934106
Also Karlchen did on this URL http://forums.linuxmint.com/viewtopic.p ... 93#p934129
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Hello, turtlebay777.
killer de bug is absolutely right. No-one has ever said that the bash were unimportant. In particular, neither ktheking, nor me.
The bash is the default user's commandline shell on a lot of Linux systems. So it is important.
What we said was that the bash vulnerabilities exposed server machines to greater dangers than home users.
You see the difference? bash is important. The vulnerability is bad. But at present the exploits target web servers primarily, not home user machines. Nonetheless, the bash patches should be installed. Period.
Kind regards,
Karl
killer de bug is absolutely right. No-one has ever said that the bash were unimportant. In particular, neither ktheking, nor me.
The bash is the default user's commandline shell on a lot of Linux systems. So it is important.
What we said was that the bash vulnerabilities exposed server machines to greater dangers than home users.
You see the difference? bash is important. The vulnerability is bad. But at present the exploits target web servers primarily, not home user machines. Nonetheless, the bash patches should be installed. Period.
Kind regards,
Karl
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 771 days now.
Lifeline
-
- Level 5
- Posts: 633
- Joined: Sat Dec 26, 2009 3:36 pm
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
What I read was that bash is not the default shell on Mint, meaning when "sh" is called, that calls another shell called dash. So that makes Mint a little less vulnerable. But, there are still at least 100 scripts which call bash directly, and in addition it is still the default login shell. Meaning, unless you configured a user otherwise manually, if you open a terminal, you are running bash. To test this, open a terminal and run "ps" and you should get something like this:turtlebay777 wrote:What I don't understand is the message which appears when you try to use apt-get remove bash (or whatever is should read) that bash is an important part of the system and by removing it you risk breaking your system.
So yes it's still important.PID TTY TIME CMD
22256 pts/2 00:00:00 bash
22537 pts/2 00:00:00 ps
But the vulnerability also required that an attacker be able to set an evironment variable with a nefarious function definition. There isn't an easy way for that to happen on a desktop. When I run "printenv" in that terminal, I find there are only 41 environment variables set, and they all seem to be used for system configuration. And none of them define any functions. Information is not stored in those variables for example, by my browser when I surf the web, or when I read an email.
So long as you are not running a program which saves externally input data into an environment variable, you're fine even runnning an old bash version.
The main thing though is to always run an updated system anyway. There always going to be bugs, which will ususally get fixed quickly when discovered, which will usually be before anyone has figured out how to exploit them.
Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'
So when ktheking stated " Of course this whole shellshock saga is only important for those people that have publicly running services such as http,ftp servers.", you are saying he was wrong?karlchen wrote:Hello, turtlebay777.
killer de bug is absolutely right. No-one has ever said that the bash were unimportant. In particular, neither ktheking, nor me.
The bash is the default user's commandline shell on a lot of Linux systems. So it is important.
What we said was that the bash vulnerabilities exposed server machines to greater dangers than home users.
You see the difference? bash is important. The vulnerability is bad. But at present the exploits target web servers primarily, not home user machines. Nonetheless, the bash patches should be installed. Period.
Kind regards,
Karl
No I don't see the difference, a statement is either right or wrong. If as you assert, "In particular, neither ktheking, ..." then either he is right or wrong.
I am an English speaker from birth so it is my mother tongue, so there can be nothing lost in translation.
Other Linux sites have said that bash is not used for anything other than servers too. As I'm not running a server what is bash being used for?
"Most people who use Linux Mint only for local desktop activities ,and have no running open servers are not to be bothered about this".
This statement is also wrong?
I'm not looking for an argument, I'm trying to understand why someone has posted apparently wrong info here which had not been deleted or amended by the admins.