LMDE: Shellshock Bash Bug Fix?

[Bugs318]

When are the official repos going to post an updated bash to close this major vulnerability? Otherwise, does anyone else know how I can upgrade this? Can I use the regular debian repos in which it is already patched?

[jtarin]

Unless your using something other than default:DASH

The Debian Almquist Shell (dash) is a POSIX-compliant shell derived
from ash.

Since it executes scripts faster than bash, and has fewer library
dependencies (making it more robust against software or hardware
failures), it is used as the default system shell on Debian systems.


An update is in the repos for bash.

[jimallyn]

To answer your question, the answer is: yesterday. If I understand correctly, yesterday's update corrected one of the problems, and today's corrects the other. Run the update manager.

[sdibaja]

To answer your question, the answer is: yesterday. If I understand correctly, yesterday's update corrected one of the problems, and today's corrects the other. Run the update manager.

for LMDE? I don't remember any updates in the last several days...

[jimallyn]

Ah, you didn't mention that you were using LMDE. You can probably find it here:

https://packages.debian.org/

I don't know why Mint hasn't put out an update for LMDE yet.

[sdibaja]

Ah, you didn't mention that you were using LMDE. You can probably find it here:

https://packages.debian.org/

I don't know why Mint hasn't put out an update for LMDE yet.

nope, unless I wanted to pull in all those debian repos... I will just wait for the Mint guys to get it to us... thanks

[killer de bug]

use SID repo to take this update. Don't forget to remove SID repo after that.

[metalhamster]

In my opinion, it's better to address the issue asap with LMDE.

This tiny fix is less intrusive than having someone roaming around your files, inside your desktop/machine:

Code: Select all

~ $ wget -c http://ftp.de.debian.org/debian/pool/main/b/bash/bash_4.3-9.1_amd64.deb
~ $ sudo dpkg -i bash_4.3-9.1_amd64.deb

(and then we test drive the issue again)

~ $ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
hello

After that you can safely wait for the next LMDE update.

[kurotsugi]

the current LMDE is abandoned. the team won't (and probably can't) do anything until jessie becomes stable.

[killer de bug]

Yeah sure, they can't push a single package... Seriously

[kurotsugi]

Yeah sure, they can't push a single package... Seriously

this official comment of our "legendary defendant of LMDE" means that LMDE is abandoned until jessie becomes stable (probably in 12 month later). it's not that they "can't". it's because the "won't". they don't care about whatever problem you have by using LMDE.

thanks for official clarification :3

[killer de bug]

As I already said it earlier, the team was waiting for the official fix to enter Testing. The fix is in testing since the end of this afternoon. It will probably be available in LMDE at the beginning of next week when Clem will be back.

Kiss kurotsugi

[simplex]

Yeah sure, they can't push a single package... Seriously

Come on, be serious, please. I have been using LMDE happily for more than 2 years now on my desktop machine. Does this long-discussed update difficulty of LMDE mean that I cannot safely use LMDE? (On a desktop, *not* on a server!). And yes, I know, manpower is scarce, but I neither have the time nor the experience to contribute to the security side of LMDE. I just want to use it and promote it to other people as a very secure and user-friendly desktop OS. All my friends who are giving up XP...

[sdibaja]

Yeah sure, they can't push a single package... Seriously

Come on, be serious, please. I have been using LMDE happily for more than 2 years now on my desktop machine. Does this long-discussed update difficulty of LMDE mean that I cannot safely use LMDE? (On a desktop, *not* on a server!). And yes, I know, manpower is scarce, but I neither have the time nor the experience to contribute to the security side of LMDE. I just want to use it and promote it to other people as a very secure and user-friendly desktop OS. All my friends who are giving up XP...

Please don't worry about it. There is lots of hype in the news.
Read the first post on this thread: http://forums.linuxmint.com/viewtopic.p ... shellshock
my best, Peter

[killer de bug]

Come on, be serious, please.

Blame kurotsugi not me on this

I have been using LMDE happily for more than 2 years now on my desktop machine. Does this long-discussed update difficulty of LMDE mean that I cannot safely use LMDE? (On a desktop, *not* on a server!).

If you have a desktop your are not that much at risk. Trust me

[simplex]

Thank you for having appeased me.

Background of my question is: I contribute to LMDE by installing it to friends who are giving up M*crsoft or *pple products, basically with the following words: "Here I install you a free OS for all of your daily work with which you will never have to reinstall anything until the day that your hardware crashes. Concerning viruses, spies or even the NSA, you will always be on the safe side, as long as you accept all updates that are offered automatically to you."

Is this an exaggeration? Today, one of these friends pointed out to me that on one of the most popular German news websites (http://www.n-tv.de), there is an article about the "shellshock bug" and asked me whether he still was on the safe side. I have just read the article including its links and had to admit that LMDE has not yet fixed this bug

S.

[Habitual]

you will never have to reinstall anything until the day that your hardware crashes. Concerning viruses, spies or even the NSA, you will always be on the safe side, as long as you accept all updates that are offered automatically to you."

Is this an exaggeration?

Not only is it an exaggeration, it is downright misleading.

[killer de bug]

I have just read the article including its links and had to admit that LMDE has not yet fixed this bug

News paper like exaggerating. They like sensational.
But the truth is that if you are not using a server, then with or without fix it's mostly the same.

For your friends, it's maybe better to install the Main version of LM. Easier, and more often updated.

[metalhamster]

But the truth is that if you are not using a server, then with or without fix it's mostly the same.

For your friends, it's maybe better to install the Main version of LM. Easier, and more often updated.

Yep, what killer de bug says is totally right.

ShellShock should concern people that is using their LM/LMDE installation not as a desktop machine but as a server. For starters, LM/LMDE doesn't come with the ssh service installed/enabled by default, so you're totally safe there. No worries for pure Desktop users!

[kurotsugi]

as your wish...I'm in serious mode now :3

you should know that almost all victim of malware never realize that their system have been hacked. most of people who said "security only for server" never check their system, whether if it have been hacked or not. "I never need to update my system. I can guarantee my system is safe", they said. do you ever realize how silly they are?. they don't even know how to check the security of their system. for everyone who claiming their system is safe let's do a check

1. do you know how to check whether if someone listening to your IP address?
2. do you know how to check whether if something in your system accessing internet without your permission?
3. do you know whether if something accessing data in your system without your concern?
4. when did the last time you ever did this stuff?
5. now, are you sure that your system is safe?

be careful boys. your system might have been turned into bot zombie or something else without your realization. even the most updated system can't guarantee that the system is completely safe. most of you didn't know how to tighten your system security by yourself. that's why updating your system periodically is the easiest way to keep the risk at minimum level.

if you feel worried about shellshock,then you should know that bash vulnerability is only one of the security hole on LMDE. it's the one which got huge attention from media but it is not the only one. current LMDE missed 200+ security patch from debian testing. you can get the list of all missed security patch here https://lists.debian.org/debian-security-announce/2014/

imagine a system with 200+ security holes. that's a good way to exaggeratingly said that your LMDE is "safe".