Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Re: should i be worried? CVE-2014-6271 remote exe w/ bash
Check the other threads about this topic first. But in short : NO , if you're on version LM13 or 17 and you do updates.
Otherwise you have to patch manually using the ubuntu guidelines.
Otherwise you have to patch manually using the ubuntu guidelines.
- Pilosopong Tasyo
- Level 6
- Posts: 1432
- Joined: Mon Jun 22, 2009 3:26 am
- Location: Philippines
Re: BASH vulnerability a.k.a. 'Shellshock'
If I understand the way apt-get works, it -- by default -- installs the latest available version only. If an older version in the repo exists and you already have a higher version installed, apt-get isn't going to roll back, unless if you explicitly tell it to install a specific version. Check the apt-get man page for details.tamone wrote:Maybe I should block bash update to prevent a roll-back of the vulnerable version in the next install update ?
o Give a man a fish and he will eat for a day. Teach him how to fish and he will eat for a lifetime!
o If an issue has been fixed, please edit your first post and add the word [SOLVED].
o If an issue has been fixed, please edit your first post and add the word [SOLVED].
Re: Recent bash vulnerability and patch questions
1) They mean that a remote attacker could do something that would put a "nefarious function" in an environment variable, and get run that way, for certain programs that use bash. They give a few examples of server software, like Apache with mod_cgi, that is vulnerable to this attack (as cgi scripts are often shell scripts, and thus bash if that is the default shell). You using bash as your shell in the terminal isn't the vulnerability; the vulnerability is with your running server software on a port on your computer that is reachable from the Internet (i.e., that you have configured in your broadband modem/router's firewall to be allowed, and on your computer's firewall to be allowed).linx255 wrote:According to NIST, vulnerability CVE-2014-6271 is described: "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution."
csoonline.com says: "An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation. This is fire bad."
I have never knowingly used those features and don't know anything about the environment variables, but my questions are:
1) Is "nefarious" accurate or should they have used "careless" in describing the function "which can enable network exploitation" ? Did they really mean an arbitrary environment variable itself is nefarious? Did the arbitrarily named environment variables originate from bash features or the attacker?
2) Are any of these features used in an automated / background way that I wouldn't necessarily see on my screen? ( I.e. upon boot, or running Update Manager, or some other program )
3) Would attacks have been effective against a machine with SELinux installed with one of the two default configurations? Apparently no authorization was required for the code injection.
4) Should I be asking different questions here?
On Linux Mint the default shell (sh) is dash, not bash. Scripts for servers are commonly sh scripts, so getting run through dash instead of through bash. The scope of this vulnerability is limited to server programs explicitly using bash for running shell scripts, or shell scripts themselves being declared specifically as bash scripts (a header of #!/bin/bash instead of common #!/bin/sh).
2) Not to my knowledge; if you are a home user and you haven't configured any ports on your computer to be reachable from the Internet then all the services running on your computer are reachable from your own network only. Again, you using bash isn't the vulnerability--server software using bash is.
3) I haven't read it fully (don't have SELinux active), but there is a post on that: http://danwalsh.livejournal.com/71122.html
4) I think you've asked well informed questions.
zdnet has a good article showing what kind of software is affected and which isn't: http://www.zdnet.com/shellshock-how-to- ... 000034072/. But if you have installed level 3 updates through Update Manager, your bash is already patched for both CVE's.
'-s' is your friend!
tamone wrote:Maybe I should block bash update to prevent a roll-back of the vulnerable version in the next install update ?
Actually a better way to check, with either `aptitude` or `apt-get`, is to use the `-s` switch, which means "simulate" or "dry-run": basically, "tell me what you *would* do, but don't actually do it." I *always* use the following workflow:Pilosopong Tasyo wrote:If I understand the way apt-get works, it -- by default -- installs the latest available version only. [...] Check the apt-get man page for details.
Code: Select all
sudo aptitude -s do something
# if I decide to do it, use bash commandline editing to change '-s' to 'y'
sudo aptitude -y do something # answers "yes" to the question about whether to proceed
Code: Select all
sudo aptitude -s install bash
Code: Select all
sudo aptitude -s full-upgrade
Re: BASH vulnerability a.k.a. 'Shellshock'
Not exactly. It depends on the priority also. If your repo has a priority too low, a new version will not be installed unless you explicitly choose to do so.Pilosopong Tasyo wrote: If I understand the way apt-get works, it -- by default -- installs the latest available version only. If an older version in the repo exists and you already have a higher version installed, apt-get isn't going to roll back, unless if you explicitly tell it to install a specific version. Check the apt-get man page for details.
Last edited by killer de bug on Fri Sep 26, 2014 1:22 pm, edited 1 time in total.
Re: BASH vulnerability a.k.a. 'Shellshock'
Pilosopong Tasyo wrote:If I understand the way apt-get works, it -- by default -- installs the latest available version only.
Package management functionality is now very fine-grained, aka potentially very complex. IMHO, rather than trying to out-think the PM, let it tell you what it wants to do with `-s`.killer de bug wrote:If [your] repo has a priority too low, a new version will not be installed unless you explicitly choose to do so.
Re: BASH vulnerability a.k.a. 'Shellshock'
and for those who only want to upgrade bash only:
Code: Select all
apt-get install --only-upgrade bash
Re: BASH vulnerability a.k.a. 'Shellshock'
I am kind of confused now. I run Mint 16 KDE 64 bit, no server and just for personal use. Cannot change to 17 so quickly, although I intend to eventually.Habitual wrote:and for those who only want to upgrade bash only:Code: Select all
apt-get install --only-upgrade bash
If, in 16, I apply
Code: Select all
Code: Select all
Much appreciate your expert advice,
pe1800
Re: BASH vulnerability a.k.a. 'Shellshock'
pe:
If it will "let" you. I don't know about LM16 repository statuses for users on that release. Sorry.
Someone else will let you know... if and how.
Have a Great Day.
If it will "let" you. I don't know about LM16 repository statuses for users on that release. Sorry.
Someone else will let you know... if and how.
Have a Great Day.
Re: BASH vulnerability a.k.a. 'Shellshock'
LM16 is obsolete and repo are not available anymore. Please read this : http://forums.linuxmint.com/viewtopic.php?f=90&t=173378
Re: BASH vulnerability a.k.a. 'Shellshock'
I tried looking for updates and it came back that my system is up to date, however, when I run: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
it still comes back that my system is vulnerable. I have the latest release of Mint (KDE).
it still comes back that my system is vulnerable. I have the latest release of Mint (KDE).
- tdockery97
- Level 14
- Posts: 5058
- Joined: Sun Jan 10, 2010 8:54 am
- Location: Mt. Angel, Oregon
Re: BASH vulnerability a.k.a. 'Shellshock'
@420trvlr: Right-click your Update Manager icon and select Preferences. On the Levels tab make sure that both "Always show security updates" and "Always select and trust security updates" are checked. If these are not checked you are missing out on critical security updates.
NOTE: Checking and installing security updates normally will not break your system. It will NOT upgrade your kernel; it will just apply security patches to the current kernel and system.
NOTE: Checking and installing security updates normally will not break your system. It will NOT upgrade your kernel; it will just apply security patches to the current kernel and system.
Mint Cinnamon 20.1
Re: BASH vulnerability a.k.a. 'Shellshock'
Older (obsolete) versions can be patched easily, I just found a way:
regardless of which Ubuntu based system you use, change your sources list to:
open a root terminal and execute:
now change your sources list back to what it was, run "apt-get update" again and you're done! I just tried this on my Mint Olivia and it worked fine.
btw, for those who don't know: It's still possible to install stuff on old versions, even if the original repos are gone, because Ubuntu has these:
Not just raring, other obsolete versions, too. But no new security updates, so keep using at your own risk.
regardless of which Ubuntu based system you use, change your sources list to:
Code: Select all
#for bash only update
deb http://de.archive.ubuntu.com/ubuntu trusty main restricted universe multiverse
deb http://de.archive.ubuntu.com/ubuntu trusty-updates main restricted universe multiverse
deb http://de.archive.ubuntu.com/ubuntu trusty-security main restricted universe multiverse
deb http://de.archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse
Code: Select all
apt-get update
apt-get install --only-upgrade bash
btw, for those who don't know: It's still possible to install stuff on old versions, even if the original repos are gone, because Ubuntu has these:
Code: Select all
deb http://old-releases.ubuntu.com/ubuntu/ raring main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ raring-updates main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ raring-security main restricted universe multiverse
Re: BASH vulnerability a.k.a. 'Shellshock'
Nice find, Frisil, thank you! I was wondering about my old laptop running Julia (just!).
Nah! It didn't work!
Nah! It didn't work!
Last edited by turtlebay777 on Sat Sep 27, 2014 5:55 am, edited 1 time in total.
Re: BASH vulnerability a.k.a. 'Shellshock'
Could ypu please post the output offrisil wrote:Older (obsolete) versions can be patched easily, I just found a way:
Code: Select all
apt policy bash
Please do this with your Olivia system.
Re: BASH vulnerability a.k.a. 'Shellshock'
This is the result after following his instructions on Julia
Code: Select all
pete@mint10-64bit-desktop ~ $ apt policy bash
bash:
Installed: 4.1-2ubuntu4
Candidate: 4.1-2ubuntu4
Version table:
*** 4.1-2ubuntu4 0
100 /var/lib/dpkg/status
Re: BASH vulnerability a.k.a. 'Shellshock'
mouhahahahaha
So please STOP USING OBSOLETE RELEASE. and if you do it, please STOP ADVERTISING IT. IT'S DANGEROUS4.1-2ubuntu4
Superseded in natty-release on 2010-12-13
Obsolete in maverick-release on 2013-03-05
bash (4.1-2ubuntu4) maverick; urgency=low
* debian/skel.bashrc: add 'alert' alias, LP: #616028
-- Dustin Kirkland <email address hidden> Tue, 10 Aug 2010 15:35:08 -0400
Available diffs
diff from 4.1-2ubuntu3 to 4.1-2ubuntu4 (621 bytes)
Re: BASH vulnerability a.k.a. 'Shellshock'
I didn't advertise it PAL so keep it civil! OK?
Now get off your rocking horse and realise that there are a hell of a lot of people still using older hardware that your precious 13 and 17 won't run on because they are too big and need too much RAM and too fast a cpu!
Unless you fancy releasing something smaller for us?
Now get off your rocking horse and realise that there are a hell of a lot of people still using older hardware that your precious 13 and 17 won't run on because they are too big and need too much RAM and too fast a cpu!
Unless you fancy releasing something smaller for us?
Re: BASH vulnerability a.k.a. 'Shellshock'
This is advertisement, period! You're not the center of the world. This sentence makes people believe they can fix their obsolete systems and it's wrong. This has nothing to do here and it's dangerous.frisil wrote:Older (obsolete) versions can be patched easily, I just found a way:
Funny to see you deleted your insults... Nice bravery...
There are so many GNU/Linux systems doing this, use google and you will find them... And sorry, I don't help people insulting me...turtlebay777 wrote: Unless you fancy releasing something smaller for us?
Re: BASH vulnerability a.k.a. 'Shellshock'
By the way, LMDE will be patched as soon as a final patch will be available in Debian Testing.
Source is the team...
Source is the team...