Main Edition: BASH vulnerability a.k.a. 'Shellshock'

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.Please do not add support questions to threads here,use the appropriate support forum instead
Post Reply
User avatar
Pilosopong Tasyo
Level 6
Level 6
Posts: 1443
Joined: Mon Jun 22, 2009 3:26 am
Location: Philippines

Main Edition: BASH vulnerability a.k.a. 'Shellshock'

Post by Pilosopong Tasyo » Wed Sep 24, 2014 4:37 pm

:!: Several topics discussing this issue recently emerged in the forum. These similar topics have been merged here and will be on sticky for some time. If any member sees a new thread that discusses the same/similar issue, kindly report it so we can take the appropriate action. Thank you all for your cooperation. :!:

Summary of need to know information:
  • Linux Mint 13 has been fully patched: just install level 3 updates from Update Manager to get bash update 4.2-2ubuntu2.6 (changelog).
    This fixes all reported vulnerabilities (CVE 2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278).
  • Linux Mint 17 has been fully patched: just install level 3 updates from Update Manager to get bash update 4.3-7ubuntu1.5 (changelog).
    This fixes all reported vulnerabilities (CVE 2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278).
  • Other versions of Linux Mint are obsolete and will not receive security updates. Either patch bash manually, or install Linux Mint 13 or 17. More information here.
  • LMDE is not yet patched, but you can get a patched version of bash from Debian sid. See this post for details. You will find a separate discussion about the LMDE issue here.
    Update 30-Sept-2014: User monsta reports: "bash 4.3-9.2 is in LMDE now, the security hole is patched there."
The bash vulnerability primarily affects users running server software that uses shell scripts (e.g., Apache web server with CGI scripts), where the shell scripts are poorly written (no sanitizing of user input; rookie web developer mistake), the user has changed the default sh shell from dash to bash (that's right; bash isn't the default sh shell), and the server software is reachable from the Internet.

In other words, as home users not running any server software that is reachable from the Internet, this bash vulnerability doesn't immediately affect you.
Last edited by Pilosopong Tasyo on Wed Oct 15, 2014 10:43 pm, edited 16 times in total.
Reason: Issue has finished running its course. Removing sticky status.
o Give a man a fish and he will eat for a day. Teach him how to fish and he will eat for a lifetime!
o If an issue has been fixed, please edit your first post and add the word [SOLVED].

User avatar
Ubulindy
Level 2
Level 2
Posts: 69
Joined: Sun Mar 02, 2014 6:27 pm
Location: 127.0.0.1

Vulnerability in Bash

Post by Ubulindy » Wed Sep 24, 2014 5:33 pm

This vuln just came in my RSS. Vulnerability in Bash: http://arstechnica.com/security/2014/09 ... -nix-in-it
Sure enough, I ran the code:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" it came back:
vulnerable
this is a test
Reports indicate Ubuntu has patched this as of today. Can we expect an update for LMDE soon?
“When the government’s boot is on your throat, whether it is a left boot or a right boot is of no consequence."

User avatar
kyphi
Level 9
Level 9
Posts: 2627
Joined: Sat Jul 09, 2011 1:14 am
Location: The Hunter Valley, Australia

Re: bash cve 2014-6271

Post by kyphi » Thu Sep 25, 2014 12:36 am

The patch has already been released and installed. Check your Update Manager.

LM 13 was great indeed, I enjoyed using it tremendously. LM 17 is even greater, in my opinion.
Linux Mint 19.2 Cinnamon - 64bit

User avatar
kyphi
Level 9
Level 9
Posts: 2627
Joined: Sat Jul 09, 2011 1:14 am
Location: The Hunter Valley, Australia

Re: Vulnerability in Bash

Post by kyphi » Thu Sep 25, 2014 12:38 am

It has already been fixed in all versions of Linux Mint. Check your Update Manager.
Linux Mint 19.2 Cinnamon - 64bit

User avatar
Ubulindy
Level 2
Level 2
Posts: 69
Joined: Sun Mar 02, 2014 6:27 pm
Location: 127.0.0.1

Re: Vulnerability in Bash

Post by Ubulindy » Thu Sep 25, 2014 1:15 am

I posted in LMDE (Linux Mint Debian Edition), this vuln was just made known today, and yes, I have updated, no update as of yet for this. Updates are far and few between. LMDE is based on "testing" Not Ubuntu based like the regular Mint :)
“When the government’s boot is on your throat, whether it is a left boot or a right boot is of no consequence."

User avatar
kyphi
Level 9
Level 9
Posts: 2627
Joined: Sat Jul 09, 2011 1:14 am
Location: The Hunter Valley, Australia

Re: Vulnerability in Bash

Post by kyphi » Thu Sep 25, 2014 2:01 am

Here it says that Debian has plugged the security hole in bash:

http://www.zdnet.com/unixlinux-bash-cri ... 000034021/

Quoted from the above article published yesterday (24th):

At this time, only Debian and Red Hat appear to have packaged patches ready to go.

And, yes, I used Debian for some time and am familiar with the differences.
Linux Mint 19.2 Cinnamon - 64bit

amasa
Level 1
Level 1
Posts: 39
Joined: Tue Jul 01, 2014 9:58 am

What's this about bash?

Post by amasa » Thu Sep 25, 2014 2:21 am

There are reports today that there is a security hole in bash, and that the sky will soon fall in. Does this affect us on Mint?

User avatar
Ubulindy
Level 2
Level 2
Posts: 69
Joined: Sun Mar 02, 2014 6:27 pm
Location: 127.0.0.1

Re: Vulnerability in Bash

Post by Ubulindy » Thu Sep 25, 2014 2:29 am

Yes, based on this: https://security-tracker.debian.org/tra ... -2014-6271 ..... some debians have been patched and others haven't. LMDE is based on "testing" which is "Jessie" I believe, and it looks as though the fix is not out yet. Guess we'll just have to wait on the fix to come through.
“When the government’s boot is on your throat, whether it is a left boot or a right boot is of no consequence."

User avatar
Pierre
Level 19
Level 19
Posts: 9183
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Linux has a catastrophic flaw...

Post by Pierre » Thu Sep 25, 2014 2:39 am

as in:
http://arstechnica.com/security/2014/09 ... nix-in-it/

"Patches issued:
Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
CentOS (versions 5 through 7)
Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
Debian
Opensuse 13.1

The patch for Opensuse 13.1 was applied before we knew about the bug. - Too bad Microsoft doesn't work that fast."
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: Vulnerability in Bash

Post by killer de bug » Thu Sep 25, 2014 2:55 am

Take the upgrade in Sid. :wink:
If it ain't broke, fix it until it is.

User avatar
Ubulindy
Level 2
Level 2
Posts: 69
Joined: Sun Mar 02, 2014 6:27 pm
Location: 127.0.0.1

Re: Vulnerability in Bash

Post by Ubulindy » Thu Sep 25, 2014 2:58 am

killer de bug wrote:Take the upgrade in Sid. :wink:
How do I go about doing that?
“When the government’s boot is on your throat, whether it is a left boot or a right boot is of no consequence."

User avatar
jimallyn
Level 18
Level 18
Posts: 8952
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: What's this about bash?

Post by jimallyn » Thu Sep 25, 2014 3:01 am

Run the Update Manager, the fix is available.
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

amasa
Level 1
Level 1
Posts: 39
Joined: Tue Jul 01, 2014 9:58 am

Re: What's this about bash?

Post by amasa » Thu Sep 25, 2014 3:15 am

Yes, I had checked the update manager and saw an item for bash so I ran it but I was not sure whether that was the fix. So that's all good then.

jonniosaurus
Level 1
Level 1
Posts: 6
Joined: Wed May 14, 2014 4:21 am

Shell Shock vulnerability

Post by jonniosaurus » Thu Sep 25, 2014 4:33 am

Quick question,

how does one manually patch this with this: http://ftp.gnu.org/pub/gnu/bash/bash-4. ... bash42-048

i tried wget http://ftp.gnu.org/pub/gnu/bash/bash-4. ... bash42-048

and then patch -p0 bin\bash bash42-048 but it didn't work.

man i suck at bash :(

niowluka
Level 5
Level 5
Posts: 730
Joined: Tue May 27, 2014 6:28 pm
Location: Krakow, Poland

Re: What's this about bash?

Post by niowluka » Thu Sep 25, 2014 5:34 am

amasa wrote:There are reports today that there is a security hole in bash, and that the sky will soon fall in.
No, it will not fall. From the reports in the media the vulnerability existed for a while, there are no known existing exploits and it's the webservers that are most at risk.

So no need to panick just yet :wink:

BTW, kudos to Ubuntu and Mint teams for getting the patch ready so quickly. Thanks !
Mint 17 Openbox (MATE) 64bit | Linux 4.1.6 (Vanilla)

Gigabyte GA-880GA-UD3H | AMD Phenom II X4 965 3.4Ghz | G.Skill 8GB DDR3-1600 RipjawsX, F3-12800CL8D-8GBXM | MSI R7 260X 2048 MB GDDR5 OC

ktheking
Level 4
Level 4
Posts: 430
Joined: Tue May 13, 2014 9:13 am

Re: Shell Shock vulnerability

Post by ktheking » Thu Sep 25, 2014 5:48 am

You might get lucky trying to use the ubuntu guide here : http://www.ubuntu.com/usn/usn-2362-1/

Source : http://www.csoonline.com/article/268726 ... -6271.html

User avatar
eanfrid
Level 7
Level 7
Posts: 1859
Joined: Mon Apr 30, 2012 2:49 am
Location: FR

Re: Shell Shock vulnerability

Post by eanfrid » Thu Sep 25, 2014 5:52 am

Just run MintUpdate...
Main desktop: Debian GNU/Linux Jessie 64bit - MATE
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
Safer than Dropbox

jonniosaurus
Level 1
Level 1
Posts: 6
Joined: Wed May 14, 2014 4:21 am

Re: Shell Shock vulnerability

Post by jonniosaurus » Thu Sep 25, 2014 6:21 am

mint update hasn't fixed it. i'm getting busted running:
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: Vulnerability in Bash

Post by killer de bug » Thu Sep 25, 2014 6:38 am

You add sid repo to your sources.list, you upgrade the package and you remove sid repo...
If it ain't broke, fix it until it is.

User avatar
linx255
Level 5
Level 5
Posts: 684
Joined: Mon Mar 17, 2014 12:43 am

Recent bash vulnerability and patch questions

Post by linx255 » Thu Sep 25, 2014 6:50 am

- Mint 17 Mate 64-bit

According to NIST, vulnerability CVE-2014-6271 is described: "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution."

csoonline.com says: "An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation. This is fire bad."

I have never knowingly used those features and don't know anything about the environment variables, but my questions are:

1) Is "nefarious" accurate or should they have used "careless" in describing the function "which can enable network exploitation" ? Did they really mean an arbitrary environment variable itself is nefarious? Did the arbitrarily named environment variables originate from bash features or the attacker?
2) Are any of these features used in an automated / background way that I wouldn't necessarily see on my screen? ( I.e. upon boot, or running Update Manager, or some other program )
3) Would attacks have been effective against a machine with SELinux installed with one of the two default configurations? Apparently no authorization was required for the code injection.
4) Should I be asking different questions here?

Thanks
- I'm running Mint 18 Mate 64-bit
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash

Post Reply

Return to “Releases & Announcements”