Page 2 of 10

Re: Shell Shock vulnerability

Posted: Thu Sep 25, 2014 6:52 am
by eanfrid
Looks like you are running an unsupported LM release. LM13 and LM17 already provide patched versions.

Re: Recent bash vulnerability and patch questions

Posted: Thu Sep 25, 2014 6:55 am
by nomko
Already asked and answered:

http://forum.linuxmint.com/viewtopic.php?f=200&t=178897
http://forum.linuxmint.com/viewtopic.php?f=6&t=178925


Next time, please search the forum first for related topics before posting the same question/issue/problem again.

Re: Recent bash vulnerability and patch questions

Posted: Thu Sep 25, 2014 6:58 am
by eanfrid
Debian and Ubuntu use /bin/sh, symlinked to /bin/dash (not bash) for system scripts. Unless you use user/custom or alternate system scripts using /bin/bash, you were not much at risk. I don't think SELinux would actually be useful there. It is overrated regarding this kind of threats.

Re: Shell Shock vulnerability

Posted: Thu Sep 25, 2014 7:04 am
by jonniosaurus
I'm on 16

Re: Shell Shock vulnerability

Posted: Thu Sep 25, 2014 7:10 am
by eanfrid
Then you will never again get bug fixes or security updates...
http://forums.linuxmint.com/viewtopic.p ... 3&t=173378

Re: Recent bash vulnerability and patch questions

Posted: Thu Sep 25, 2014 7:33 am
by linx255
@nomko: I don't think you read my post. My questions were not answered on those links which I already visited prior to posting. Yes, I know it has already been patched... My questions remain.

@eanfrid: I use /bin/bash for all my scripts, never dash. I have switched from dash to bash because I like its functionality and speed doesn't matter.

Even though it has been patched I like to know more about the topic than what I've seen on forums and news articles so far, and my questions are about the past, now what is now. Best!

Re: Recent bash vulnerability and patch questions

Posted: Thu Sep 25, 2014 8:05 am
by nomko
Just read 1 or 2 things about this so-called "vulnerability". Just read 1 or 2 things about this so-called "vulnerability". IMHO this is a minor issue blown up to unscalable proportions.

First thing:
It looks like it is written by somebody who does not understand the functioning and essence of a UNIX system. He writes about bash like it is a Linux/Apple issue, but it is not. It's about bash as an application that does not run only on Linux or Apple, but on many more systems.

Secondly, this so-called threat isn't a threat like some Windows virus. This is a application leak which can only be harmfull under your own account. Nevertheless anyone must first gain access to that account and deliberate and knowingly download such script and run it. And after running that script, it will only harm your account and not the entire installation.
This issue is especially dangerous as there are many possible ways Bash can be called by an application
Yes, there are many ways: php, perl and many other script languages.
could leave systems running those operating systems open to exploitation by specially crafted attacks
Special scripts which needs to be downloaded delibratly and knowingly. Else how will you get a script on your system without knowing it when that script cannot bypass the root/right management system?

Another crappy story that has been blown up out of proportion....

Shellshock bug in BASH . . . [Solved]

Posted: Thu Sep 25, 2014 8:06 am
by ithoughtyouhadit
Well this is embarrassing, what am I supposed to tell my friends?
I've been telling them how perfect it is and how it's almost immune to viruses.

http://www.bbc.co.uk/news/technology-29361794

Re: Shellshock bug in BASH . . .

Posted: Thu Sep 25, 2014 8:13 am
by 1.618

Re: Shellshock bug in BASH . . .

Posted: Thu Sep 25, 2014 8:15 am
by 1.618
Well according to this the issue can be corrected

http://www.ubuntu.com/usn/usn-2362-1/

Re: Shell Shock vulnerability

Posted: Thu Sep 25, 2014 8:19 am
by ktheking
LM13 and LM17 already provide patched versions.
Where did you got this info ? I doubt it that's the case.
This is about this bug , no ? : http://www.csoonline.com/article/268726 ... -6271.html

Re: Shellshock bug in BASH . . .

Posted: Thu Sep 25, 2014 8:22 am
by ithoughtyouhadit
Brilliant, I'll make sure I'm updated... thanks for that. :-)

Re: Shellshock bug in BASH . . .

Posted: Thu Sep 25, 2014 8:25 am
by Pilosopong Tasyo
ithoughtyouhadit wrote:Well this is embarrassing, what am I supposed to tell my friends?
Tell them it's already patched up. All they have to do is install security updates from their update manager. :wink:

I have a gut feeling fear-mongers will blow this issue out of proportion in the next several days. The patch has already been issued hours ago. I wonder if these tech/news/blog sites are going to report about the patch instead of feasting on this media circus. :lol:

Re: Shell Shock vulnerability

Posted: Thu Sep 25, 2014 8:56 am
by eanfrid
For LM17: v 4.3-7ubuntu1.1
721204ae4641ed.png
For LM13: v 4.2-2ubuntu2.2
683191d40594d6.png

Re: Shellshock bug in BASH . . . [Solved]

Posted: Thu Sep 25, 2014 9:09 am
by Habitual
ithoughtyouhadit wrote:I've been telling them how perfect it is and how it's almost immune to viruses.
It's not a virus.
Linux is NOT immune to vulnerabilities, then you tell them the difference between a virus and a vulnerability.
Then tell them how they didn't have to wait for "Patch Tuesday" to get a fix.
Makes you look smart. ;)

Re: Recent bash vulnerability and patch questions

Posted: Thu Sep 25, 2014 9:39 am
by linx255
Else how will you get a script on your system without knowing it when that script cannot bypass the root/right management system?...
Another crappy story that has been blown up out of proportion....
Yeah, that's the first thing I thought. How would they even get code on there in the first place? Lol. If it's just a matter of keeping unauthorized users from accessing your root-enabled machine, well, that's nothing new for sure. They made it sound like your server could be attacked out of the blue without gaining authentication, which made no sense.

Re: What's this about bash?

Posted: Thu Sep 25, 2014 10:45 am
by karlchen
[Info]
Mint 13 - Updates received today

Code: Select all

bash (4.2-2ubuntu2.2) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect function parsing
    - debian/patches/CVE-2014-6271.diff: fix function parsing in
      bash/builtins/common.h, bash/builtins/evalstring.c, bash/variables.c.
    - CVE-2014-6271

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 22 Sep 2014 15:31:07 -0400

Code: Select all

Commit Log for Thu Sep 25 16:37:56 2014
The following packages have been updated:
bash (4.2-2ubuntu2.1) to 4.2-2ubuntu2.2
libnss3 (3.17-0ubuntu0.12.04.1) to 3.17.1-0ubuntu0.12.04.1
libnss3-1d (3.17-0ubuntu0.12.04.1) to 3.17.1-0ubuntu0.12.04.1
I know I received the correpsonding bash update for Mint 17 last night. Cannot post the software package changelog at this point in time because I am sitting front of my Mint 13 office machine.

Don't panic. Update. Be happy.

Karl

Re: What's this about bash?

Posted: Thu Sep 25, 2014 10:59 am
by pessimizer
Just to update on this:

1) it is a major bug, there are many proofs of concept, including through dhclient and through crafting headers in GETs that are passed to programs through cgi (I think that the ktorrent remote web administration interface seems like the type of thing that would be vulnerable - I haven't tested yet, just cut it off from the open web.)

2) The patch doesn't work.

3) Exploits are in the wild, right now.

Everything you need to know about the Shellshock Bash bug: http://www.troyhunt.com/2014/09/everyth ... about.html
CVE-2014-7169: Bash Fix Incomplete, Still Exploitable: http://seclists.org/oss-sec/2014/q3/685
Bash 'shellshock' bug is wormable: http://blog.erratasec.com/2014/09/bash- ... mable.html
ShellShock exploited in the wild: kernel exploit with CnC component: https://gist.github.com/anonymous/929d622f3b36b00c0be1

Re: Recent bash vulnerability and patch questions

Posted: Thu Sep 25, 2014 11:15 am
by niowluka
linx255 wrote:
Else how will you get a script on your system without knowing it when that script cannot bypass the root/right management system?...
Another crappy story that has been blown up out of proportion....
Yeah, that's the first thing I thought. How would they even get code on there in the first place? Lol. If it's just a matter of keeping unauthorized users from accessing your root-enabled machine, well, that's nothing new for sure. They made it sound like your server could be attacked out of the blue without gaining authentication, which made no sense.
In SSH I think it's a matter of executing a command similar to the test one. According to RedHat one can bypass the SSH command restrictions this way. Of course, someone would have to login first, so 'duh!'.

The httpd exploit has something to do with cgi scripts, so that's beyond me.

Anyway, no known exploits exist, and the only poeple who should be worried are most likely not on this forum, or have anything to do with Mint for that matter...

Re: What's this about bash?

Posted: Thu Sep 25, 2014 11:22 am
by niowluka
pessimizer wrote: 1) it is a major bug, there are many proofs of concept, including through dhclient and through crafting headers in GETs that are passed to programs through cgi (I think that the ktorrent remote web administration interface seems like the type of thing that would be vulnerable - I haven't tested yet, just cut it off from the open web.)

2) The patch doesn't work.

3) Exploits are in the wild, right now.
:lol: