LMDE: Shellshock Bash Bug Fix?

Archived topics about LMDE 1 and LMDE 2
User avatar
metalhamster
Level 1
Level 1
Posts: 3
Joined: Sat Sep 27, 2014 9:28 am
Location: Madrid, Spain

Re: LMDE: Shellshock Bash Bug Fix?

Post by metalhamster »

Hi Kurotsugi,

You are right with the patch issue in LMDE, but Linux Mint is a desktop oriented distribution, and (even if it's able to) it hasn't been made on purpose for hosting services across internet. Taking this into account, the exposure of a LMDE basic setup to any external hazard should be quite low (patched or not). You need to tinker around for messing things up and expose yourself, and a basic or average user wouldn't do that.

Besides, people should be aware that Samba, CUPS and other network based services shouldn't be made available outside from the local network. And so on with keeping weak passwords, saving them on your browser, having a poor secured wireless network, using third party non-signed/non-trusted software, opening mail from unknown recipients and so on...

I wonder if there's any way to help to speed up the debian testing -> LMDE patch assimilation process from there.
If your main concern is security, you can also swap to FreeBSD or NetBSD if needed...

Be water, my friend and flow with those patches! ;-)
kurotsugi
Level 6
Level 6
Posts: 1026
Joined: Fri Jan 25, 2013 3:54 am

Re: LMDE: Shellshock Bash Bug Fix?

Post by kurotsugi »

remember that we are talking about a system with 200+ security hole. it doesn't matter if you're running a desktop or a server. if you're running on LMDE you don't have to screw your system. your system already open 200+ door for those malicious stuffs. remember that LMDE is created by mint team, a famous linux distro with #1 rank on distrowatch. the reputation of LMDE having 200+ security holes should already spreaded widely. it's a public invitation to hack your system.
Monsta
Level 10
Level 10
Posts: 3058
Joined: Fri Aug 19, 2011 3:46 am

Re: LMDE: Shellshock Bash Bug Fix?

Post by Monsta »

metalhamster wrote:I wonder if there's any way to help to speed up the debian testing -> LMDE patch assimilation process from there.
Will be done automatically on the transition of LMDE to the next Debian Stable - all the security patches will be delivered via Debian repos.
User avatar
mockturtl
Level 4
Level 4
Posts: 452
Joined: Sat Oct 09, 2010 8:51 pm

Re: LMDE: Shellshock Bash Bug Fix?

Post by mockturtl »

This is the best resource I've seen: https://shellshocker.net/

bash 4.3-11 just landed in sid, and passes all their tests.

Code: Select all

 $ ./shellshock_test.sh 
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
Image
User avatar
sdibaja
Level 5
Level 5
Posts: 773
Joined: Sun May 08, 2011 12:57 pm
Location: Baja California, Mexico

Re: LMDE: Shellshock Bash Bug Fix?

Post by sdibaja »

The LMDE patch came on the Update Manager on September 30...

or has the topic of this thread changed?
Peter
Mate desktop https://mate-desktop.org/
Debian GNU/Linux operating system: https://cdimage.debian.org/images/unoff ... -firmware/
kurotsugi
Level 6
Level 6
Posts: 1026
Joined: Fri Jan 25, 2013 3:54 am

Re: LMDE: Shellshock Bash Bug Fix?

Post by kurotsugi »

The LMDE patch came on the Update Manager on September 30...
according to this site LMDE haven't patch anything regarding bash http://packages.linuxmint.com/list.php? ... bian#romeo
the latest security updates were on march for the famous heartbleed and openssl issue.
User avatar
killer de bug
Level 14
Level 14
Posts: 5398
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: LMDE: Shellshock Bash Bug Fix?

Post by killer de bug »

And according to the same site, you are once again saying something wrong.
http://packages.linuxmint.com/list.php? ... ian#import

Bash has been patched in LMDE... :roll:

KDB@KDB-laptop ~ $ apt policy bash
bash:
Installé : 4.3-9.2
Candidat : 4.3-9.2
Table de version :
*** 4.3-9.2 0
700 http://packages.linuxmint.com/ debian/import amd64 Packages
100 /var/lib/dpkg/status
4.2+dfsg-1 0
500 http://mirrors.nic.cz/linuxmint-debian/incoming/ testing/main amd64 Packages
If it ain't broke, fix it until it is.
kurotsugi
Level 6
Level 6
Posts: 1026
Joined: Fri Jan 25, 2013 3:54 am

Re: LMDE: Shellshock Bash Bug Fix?

Post by kurotsugi »

I've been wondering where are our legendary defender on these past few days. great to see you there :3
btw, the answer is right above you. care to look carefully into this matter?
This is the best resource I've seen: https://shellshocker.net/

bash 4.3-11 just landed in sid, and passes all their tests.
lmde's security patch were done via romeo branch. I missed bash because mint team silently move the security patch to import branch. is that means you're safe now? AFAIK, no. bash 4.3-9 contain the temporary solution for the vulnerability and didn't fully solve the problem. http://arstechnica.com/security/2014/09 ... ck-a-mole/. if you do the test on shellshock you'll found that lmde's bash is still vulnerable.
User avatar
mockturtl
Level 4
Level 4
Posts: 452
Joined: Sat Oct 09, 2010 8:51 pm

Re: LMDE: Shellshock Bash Bug Fix?

Post by mockturtl »

kurotsugi wrote:is that means you're safe now? AFAIK, no.
It's a moving target, as related vulnerabilities have been discovered.

For what it's worth, according to my tests earlier today:
  • cygwin is fully patched
  • OSX Mavericks is vulnerable to 4 out of 7
  • OSX Yosemite beta has patched everything but CVE-2014-6277 ("segfault")
    • edit: OSX Yosemite beta is fully patched; the failure was a false alarm. Discussion below.
Last edited by mockturtl on Fri Oct 10, 2014 11:32 am, edited 1 time in total.
Image
User avatar
killer de bug
Level 14
Level 14
Posts: 5398
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: LMDE: Shellshock Bash Bug Fix?

Post by killer de bug »

kurotsugi wrote: lmde's security patch were done via romeo branch. I missed bash because mint team silently move the security patch to import branch.
Saying this proves that you don't understand the way Mint work... Putting security fix in the instable repo, that are not recommended to be used by every users... Seriously :roll:
If it ain't broke, fix it until it is.
Monsta
Level 10
Level 10
Posts: 3058
Joined: Fri Aug 19, 2011 3:46 am

Re: LMDE: Shellshock Bash Bug Fix?

Post by Monsta »

mockturtl wrote:This is the best resource I've seen: https://shellshocker.net/

bash 4.3-11 just landed in sid, and passes all their tests.

Code: Select all

 $ ./shellshock_test.sh 
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
Wait, but 4.3-9.2 passes these tests as well:

Code: Select all

monsta@asylum ~ $ apt policy bash
bash:
  Установлен: 4.3-9.2
  Кандидат:   4.3-9.2
  Таблица версий:
 *** 4.3-9.2 0
        700 http://debian.lth.se/linuxmint/ debian/import amd64 Packages
        100 /var/lib/dpkg/status
     4.2+dfsg-1 0
        500 http://debian.lth.se/lmde/latest/ testing/main amd64 Packages

Code: Select all

monsta@asylum ~ $ curl https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   2169      0  0:00:01  0:00:01 --:--:--  2171
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
Did I miss something? :?
User avatar
sdibaja
Level 5
Level 5
Posts: 773
Joined: Sun May 08, 2011 12:57 pm
Location: Baja California, Mexico

Re: LMDE: Shellshock Bash Bug Fix?

Post by sdibaja »

I am not really sure what you guys are going on about.
Over here we are just letting Update Manager do it's thing without any user tweaking:

Code: Select all

peter@sager-lmde:~$ apt policy bash
bash:
  Installed: 4.3-9.2
  Candidate: 4.3-9.2
  Version table:
 *** 4.3-9.2 0
        700 http://packages.linuxmint.com/ debian/import amd64 Packages
        100 /var/lib/dpkg/status
     4.2+dfsg-1 0
        500 http://debian.linuxmint.com/latest/ testing/main amd64 Packages
peter@sager-lmde:~$ 

Code: Select all

peter@sager-lmde:~$ curl https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   4955      0 --:--:-- --:--:-- --:--:--  4956
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
peter@sager-lmde:~$ 
is there something else we should be doing? Other checks we should make?
Peter
Mate desktop https://mate-desktop.org/
Debian GNU/Linux operating system: https://cdimage.debian.org/images/unoff ... -firmware/
User avatar
killer de bug
Level 14
Level 14
Posts: 5398
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: LMDE: Shellshock Bash Bug Fix?

Post by killer de bug »

Monsta wrote: Did I miss something? :?
Maybe the part where kurotsugi clearly says that he did not try the patch from LMDE before saying that it doesn't solve the problem? :?
If it ain't broke, fix it until it is.
User avatar
mockturtl
Level 4
Level 4
Posts: 452
Joined: Sat Oct 09, 2010 8:51 pm

Re: LMDE: Shellshock Bash Bug Fix?

Post by mockturtl »

Monsta wrote:Did I miss something? :?
That's interesting. Versions 4.3-9.2 and 4.3-10 failed the "segfault" test in my local copy of the script; it must have changed.

Looks like it was a false alarm: https://github.com/wreiske/shellshocker ... 0bbf8fca74

[debian changelog]

(Does anyone know why the new 'tracker.debian.org' does not link to the changelog, compared to the old 'packages.qa.debian.org'?)
Image
Monsta
Level 10
Level 10
Posts: 3058
Joined: Fri Aug 19, 2011 3:46 am

Re: LMDE: Shellshock Bash Bug Fix?

Post by Monsta »

mockturtl wrote:(Does anyone know why the new 'tracker.debian.org' does not link to the changelog, compared to the old 'packages.qa.debian.org'?)
The changelog links are on the left side (the "versioned links" pane) - click on the "plus in circle" icon.
It's not easy to find, and there's a bug report about it.
User avatar
mockturtl
Level 4
Level 4
Posts: 452
Joined: Sat Oct 09, 2010 8:51 pm

Re: LMDE: Shellshock Bash Bug Fix?

Post by mockturtl »

Monsta wrote:The changelog links are on the left side (the "versioned links" pane) - click on the "plus in circle" icon.
It's not easy to find, and there's a bug report about it.
Ah! Thank you. That's a strange adjustment to the layout.
Image
Locked

Return to “LMDE Archive”