LMDE: Shellshock Bash Bug Fix?
Forum rules
LMDE 2 has reached end of support as of 1-1-2019
LMDE 2 has reached end of support as of 1-1-2019
Re: LMDE: Shellshock Bash Bug Fix?
Hi Kurotsugi,
You are right with the patch issue in LMDE, but Linux Mint is a desktop oriented distribution, and (even if it's able to) it hasn't been made on purpose for hosting services across internet. Taking this into account, the exposure of a LMDE basic setup to any external hazard should be quite low (patched or not). You need to tinker around for messing things up and expose yourself, and a basic or average user wouldn't do that.
Besides, people should be aware that Samba, CUPS and other network based services shouldn't be made available outside from the local network. And so on with keeping weak passwords, saving them on your browser, having a poor secured wireless network, using third party non-signed/non-trusted software, opening mail from unknown recipients and so on...
I wonder if there's any way to help to speed up the debian testing -> LMDE patch assimilation process from there.
If your main concern is security, you can also swap to FreeBSD or NetBSD if needed...
Be water, my friend and flow with those patches!
You are right with the patch issue in LMDE, but Linux Mint is a desktop oriented distribution, and (even if it's able to) it hasn't been made on purpose for hosting services across internet. Taking this into account, the exposure of a LMDE basic setup to any external hazard should be quite low (patched or not). You need to tinker around for messing things up and expose yourself, and a basic or average user wouldn't do that.
Besides, people should be aware that Samba, CUPS and other network based services shouldn't be made available outside from the local network. And so on with keeping weak passwords, saving them on your browser, having a poor secured wireless network, using third party non-signed/non-trusted software, opening mail from unknown recipients and so on...
I wonder if there's any way to help to speed up the debian testing -> LMDE patch assimilation process from there.
If your main concern is security, you can also swap to FreeBSD or NetBSD if needed...
Be water, my friend and flow with those patches!
Re: LMDE: Shellshock Bash Bug Fix?
remember that we are talking about a system with 200+ security hole. it doesn't matter if you're running a desktop or a server. if you're running on LMDE you don't have to screw your system. your system already open 200+ door for those malicious stuffs. remember that LMDE is created by mint team, a famous linux distro with #1 rank on distrowatch. the reputation of LMDE having 200+ security holes should already spreaded widely. it's a public invitation to hack your system.
Re: LMDE: Shellshock Bash Bug Fix?
Will be done automatically on the transition of LMDE to the next Debian Stable - all the security patches will be delivered via Debian repos.metalhamster wrote:I wonder if there's any way to help to speed up the debian testing -> LMDE patch assimilation process from there.
Re: LMDE: Shellshock Bash Bug Fix?
This is the best resource I've seen: https://shellshocker.net/
bash 4.3-11 just landed in sid, and passes all their tests.
bash 4.3-11 just landed in sid, and passes all their tests.
Code: Select all
$ ./shellshock_test.sh
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
Re: LMDE: Shellshock Bash Bug Fix?
The LMDE patch came on the Update Manager on September 30...
or has the topic of this thread changed?
or has the topic of this thread changed?
Peter
Mate desktop https://wiki.debian.org/MATE
Debian GNU/Linux operating system: https://www.debian.org/download
Mate desktop https://wiki.debian.org/MATE
Debian GNU/Linux operating system: https://www.debian.org/download
Re: LMDE: Shellshock Bash Bug Fix?
according to this site LMDE haven't patch anything regarding bash http://packages.linuxmint.com/list.php? ... bian#romeoThe LMDE patch came on the Update Manager on September 30...
the latest security updates were on march for the famous heartbleed and openssl issue.
Re: LMDE: Shellshock Bash Bug Fix?
And according to the same site, you are once again saying something wrong.
http://packages.linuxmint.com/list.php? ... ian#import
Bash has been patched in LMDE...
http://packages.linuxmint.com/list.php? ... ian#import
Bash has been patched in LMDE...
KDB@KDB-laptop ~ $ apt policy bash
bash:
Installé : 4.3-9.2
Candidat : 4.3-9.2
Table de version :
*** 4.3-9.2 0
700 http://packages.linuxmint.com/ debian/import amd64 Packages
100 /var/lib/dpkg/status
4.2+dfsg-1 0
500 http://mirrors.nic.cz/linuxmint-debian/incoming/ testing/main amd64 Packages
Re: LMDE: Shellshock Bash Bug Fix?
I've been wondering where are our legendary defender on these past few days. great to see you there :3
btw, the answer is right above you. care to look carefully into this matter?
btw, the answer is right above you. care to look carefully into this matter?
lmde's security patch were done via romeo branch. I missed bash because mint team silently move the security patch to import branch. is that means you're safe now? AFAIK, no. bash 4.3-9 contain the temporary solution for the vulnerability and didn't fully solve the problem. http://arstechnica.com/security/2014/09 ... ck-a-mole/. if you do the test on shellshock you'll found that lmde's bash is still vulnerable.This is the best resource I've seen: https://shellshocker.net/
bash 4.3-11 just landed in sid, and passes all their tests.
Re: LMDE: Shellshock Bash Bug Fix?
It's a moving target, as related vulnerabilities have been discovered.kurotsugi wrote:is that means you're safe now? AFAIK, no.
For what it's worth, according to my tests earlier today:
- cygwin is fully patched
- OSX Mavericks is vulnerable to 4 out of 7
- OSX Yosemite beta has patched everything but CVE-2014-6277 ("segfault")
- edit: OSX Yosemite beta is fully patched; the failure was a false alarm. Discussion below.
Last edited by mockturtl on Fri Oct 10, 2014 11:32 am, edited 1 time in total.
Re: LMDE: Shellshock Bash Bug Fix?
Saying this proves that you don't understand the way Mint work... Putting security fix in the instable repo, that are not recommended to be used by every users... Seriouslykurotsugi wrote: lmde's security patch were done via romeo branch. I missed bash because mint team silently move the security patch to import branch.
Re: LMDE: Shellshock Bash Bug Fix?
Wait, but 4.3-9.2 passes these tests as well:mockturtl wrote:This is the best resource I've seen: https://shellshocker.net/
bash 4.3-11 just landed in sid, and passes all their tests.Code: Select all
$ ./shellshock_test.sh CVE-2014-6271 (original shellshock): not vulnerable CVE-2014-6277 (segfault): not vulnerable CVE-2014-6278 (Florian's patch): not vulnerable CVE-2014-7169 (taviso bug): not vulnerable CVE-2014-7186 (redir_stack bug): not vulnerable CVE-2014-7187 (nested loops off by one): not vulnerable CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
Code: Select all
monsta@asylum ~ $ apt policy bash
bash:
Установлен: 4.3-9.2
Кандидат: 4.3-9.2
Таблица версий:
*** 4.3-9.2 0
700 http://debian.lth.se/linuxmint/ debian/import amd64 Packages
100 /var/lib/dpkg/status
4.2+dfsg-1 0
500 http://debian.lth.se/lmde/latest/ testing/main amd64 Packages
Code: Select all
monsta@asylum ~ $ curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2627 100 2627 0 0 2169 0 0:00:01 0:00:01 --:--:-- 2171
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
Re: LMDE: Shellshock Bash Bug Fix?
I am not really sure what you guys are going on about.
Over here we are just letting Update Manager do it's thing without any user tweaking:
is there something else we should be doing? Other checks we should make?
Over here we are just letting Update Manager do it's thing without any user tweaking:
Code: Select all
peter@sager-lmde:~$ apt policy bash
bash:
Installed: 4.3-9.2
Candidate: 4.3-9.2
Version table:
*** 4.3-9.2 0
700 http://packages.linuxmint.com/ debian/import amd64 Packages
100 /var/lib/dpkg/status
4.2+dfsg-1 0
500 http://debian.linuxmint.com/latest/ testing/main amd64 Packages
peter@sager-lmde:~$
Code: Select all
peter@sager-lmde:~$ curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2627 100 2627 0 0 4955 0 --:--:-- --:--:-- --:--:-- 4956
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
peter@sager-lmde:~$
Peter
Mate desktop https://wiki.debian.org/MATE
Debian GNU/Linux operating system: https://www.debian.org/download
Mate desktop https://wiki.debian.org/MATE
Debian GNU/Linux operating system: https://www.debian.org/download
Re: LMDE: Shellshock Bash Bug Fix?
Maybe the part where kurotsugi clearly says that he did not try the patch from LMDE before saying that it doesn't solve the problem?Monsta wrote: Did I miss something?
Re: LMDE: Shellshock Bash Bug Fix?
That's interesting. Versions 4.3-9.2 and 4.3-10 failed the "segfault" test in my local copy of the script; it must have changed.Monsta wrote:Did I miss something?
Looks like it was a false alarm: https://github.com/wreiske/shellshocker ... 0bbf8fca74
[debian changelog]
(Does anyone know why the new 'tracker.debian.org' does not link to the changelog, compared to the old 'packages.qa.debian.org'?)
Re: LMDE: Shellshock Bash Bug Fix?
The changelog links are on the left side (the "versioned links" pane) - click on the "plus in circle" icon.mockturtl wrote:(Does anyone know why the new 'tracker.debian.org' does not link to the changelog, compared to the old 'packages.qa.debian.org'?)
It's not easy to find, and there's a bug report about it.
Re: LMDE: Shellshock Bash Bug Fix?
Ah! Thank you. That's a strange adjustment to the layout.Monsta wrote:The changelog links are on the left side (the "versioned links" pane) - click on the "plus in circle" icon.
It's not easy to find, and there's a bug report about it.