Main Edition: BASH vulnerability a.k.a. 'Shellshock'
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Re: Shell Shock vulnerability
Looks like you are running an unsupported LM release. LM13 and LM17 already provide patched versions.
Re: Recent bash vulnerability and patch questions
Already asked and answered:
http://forum.linuxmint.com/viewtopic.php?f=200&t=178897
http://forum.linuxmint.com/viewtopic.php?f=6&t=178925
Next time, please search the forum first for related topics before posting the same question/issue/problem again.
http://forum.linuxmint.com/viewtopic.php?f=200&t=178897
http://forum.linuxmint.com/viewtopic.php?f=6&t=178925
Next time, please search the forum first for related topics before posting the same question/issue/problem again.
Re: Recent bash vulnerability and patch questions
Debian and Ubuntu use /bin/sh, symlinked to /bin/dash (not bash) for system scripts. Unless you use user/custom or alternate system scripts using /bin/bash, you were not much at risk. I don't think SELinux would actually be useful there. It is overrated regarding this kind of threats.
Re: Shell Shock vulnerability
Then you will never again get bug fixes or security updates...
http://forums.linuxmint.com/viewtopic.p ... 3&t=173378
http://forums.linuxmint.com/viewtopic.p ... 3&t=173378
Re: Recent bash vulnerability and patch questions
@nomko: I don't think you read my post. My questions were not answered on those links which I already visited prior to posting. Yes, I know it has already been patched... My questions remain.
@eanfrid: I use /bin/bash for all my scripts, never dash. I have switched from dash to bash because I like its functionality and speed doesn't matter.
Even though it has been patched I like to know more about the topic than what I've seen on forums and news articles so far, and my questions are about the past, now what is now. Best!
@eanfrid: I use /bin/bash for all my scripts, never dash. I have switched from dash to bash because I like its functionality and speed doesn't matter.
Even though it has been patched I like to know more about the topic than what I've seen on forums and news articles so far, and my questions are about the past, now what is now. Best!
- I'm running Mint 18 Mate 64-bit
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash
Re: Recent bash vulnerability and patch questions
Just read 1 or 2 things about this so-called "vulnerability". Just read 1 or 2 things about this so-called "vulnerability". IMHO this is a minor issue blown up to unscalable proportions.
First thing:
It looks like it is written by somebody who does not understand the functioning and essence of a UNIX system. He writes about bash like it is a Linux/Apple issue, but it is not. It's about bash as an application that does not run only on Linux or Apple, but on many more systems.
Secondly, this so-called threat isn't a threat like some Windows virus. This is a application leak which can only be harmfull under your own account. Nevertheless anyone must first gain access to that account and deliberate and knowingly download such script and run it. And after running that script, it will only harm your account and not the entire installation.
Another crappy story that has been blown up out of proportion....
First thing:
It looks like it is written by somebody who does not understand the functioning and essence of a UNIX system. He writes about bash like it is a Linux/Apple issue, but it is not. It's about bash as an application that does not run only on Linux or Apple, but on many more systems.
Secondly, this so-called threat isn't a threat like some Windows virus. This is a application leak which can only be harmfull under your own account. Nevertheless anyone must first gain access to that account and deliberate and knowingly download such script and run it. And after running that script, it will only harm your account and not the entire installation.
Yes, there are many ways: php, perl and many other script languages.This issue is especially dangerous as there are many possible ways Bash can be called by an application
Special scripts which needs to be downloaded delibratly and knowingly. Else how will you get a script on your system without knowing it when that script cannot bypass the root/right management system?could leave systems running those operating systems open to exploitation by specially crafted attacks
Another crappy story that has been blown up out of proportion....
Shellshock bug in BASH . . . [Solved]
Well this is embarrassing, what am I supposed to tell my friends?
I've been telling them how perfect it is and how it's almost immune to viruses.
http://www.bbc.co.uk/news/technology-29361794
I've been telling them how perfect it is and how it's almost immune to viruses.
http://www.bbc.co.uk/news/technology-29361794
Last edited by ithoughtyouhadit on Thu Sep 25, 2014 8:36 am, edited 2 times in total.
Re: Shellshock bug in BASH . . .
Ah, i just logged in to ask about this but you beat me to it......
https://www.us-cert.gov/ncas/current-ac ... nerability
http://lists.gnu.org/archive/html/bug-b ... reads.html
https://securityblog.redhat.com/2014/09 ... on-attack/
https://www.us-cert.gov/ncas/current-ac ... nerability
http://lists.gnu.org/archive/html/bug-b ... reads.html
https://securityblog.redhat.com/2014/09 ... on-attack/
Re: Shell Shock vulnerability
Where did you got this info ? I doubt it that's the case.LM13 and LM17 already provide patched versions.
This is about this bug , no ? : http://www.csoonline.com/article/268726 ... -6271.html
Re: Shellshock bug in BASH . . .
Brilliant, I'll make sure I'm updated... thanks for that.
- Pilosopong Tasyo
- Level 6
- Posts: 1432
- Joined: Mon Jun 22, 2009 3:26 am
- Location: Philippines
Re: Shellshock bug in BASH . . .
Tell them it's already patched up. All they have to do is install security updates from their update manager.ithoughtyouhadit wrote:Well this is embarrassing, what am I supposed to tell my friends?
I have a gut feeling fear-mongers will blow this issue out of proportion in the next several days. The patch has already been issued hours ago. I wonder if these tech/news/blog sites are going to report about the patch instead of feasting on this media circus.
o Give a man a fish and he will eat for a day. Teach him how to fish and he will eat for a lifetime!
o If an issue has been fixed, please edit your first post and add the word [SOLVED].
o If an issue has been fixed, please edit your first post and add the word [SOLVED].
Re: Shellshock bug in BASH . . . [Solved]
It's not a virus.ithoughtyouhadit wrote:I've been telling them how perfect it is and how it's almost immune to viruses.
Linux is NOT immune to vulnerabilities, then you tell them the difference between a virus and a vulnerability.
Then tell them how they didn't have to wait for "Patch Tuesday" to get a fix.
Makes you look smart.
Re: Recent bash vulnerability and patch questions
Yeah, that's the first thing I thought. How would they even get code on there in the first place? Lol. If it's just a matter of keeping unauthorized users from accessing your root-enabled machine, well, that's nothing new for sure. They made it sound like your server could be attacked out of the blue without gaining authentication, which made no sense.Else how will you get a script on your system without knowing it when that script cannot bypass the root/right management system?...
Another crappy story that has been blown up out of proportion....
- I'm running Mint 18 Mate 64-bit
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash
Re: What's this about bash?
[Info]
Mint 13 - Updates received today
I know I received the correpsonding bash update for Mint 17 last night. Cannot post the software package changelog at this point in time because I am sitting front of my Mint 13 office machine.
Don't panic. Update. Be happy.
Karl
Mint 13 - Updates received today
Code: Select all
bash (4.2-2ubuntu2.2) precise-security; urgency=medium
* SECURITY UPDATE: incorrect function parsing
- debian/patches/CVE-2014-6271.diff: fix function parsing in
bash/builtins/common.h, bash/builtins/evalstring.c, bash/variables.c.
- CVE-2014-6271
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 22 Sep 2014 15:31:07 -0400
Code: Select all
Commit Log for Thu Sep 25 16:37:56 2014
The following packages have been updated:
bash (4.2-2ubuntu2.1) to 4.2-2ubuntu2.2
libnss3 (3.17-0ubuntu0.12.04.1) to 3.17.1-0ubuntu0.12.04.1
libnss3-1d (3.17-0ubuntu0.12.04.1) to 3.17.1-0ubuntu0.12.04.1
Don't panic. Update. Be happy.
Karl
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 771 days now.
Lifeline
Re: What's this about bash?
Just to update on this:
1) it is a major bug, there are many proofs of concept, including through dhclient and through crafting headers in GETs that are passed to programs through cgi (I think that the ktorrent remote web administration interface seems like the type of thing that would be vulnerable - I haven't tested yet, just cut it off from the open web.)
2) The patch doesn't work.
3) Exploits are in the wild, right now.
Everything you need to know about the Shellshock Bash bug: http://www.troyhunt.com/2014/09/everyth ... about.html
CVE-2014-7169: Bash Fix Incomplete, Still Exploitable: http://seclists.org/oss-sec/2014/q3/685
Bash 'shellshock' bug is wormable: http://blog.erratasec.com/2014/09/bash- ... mable.html
ShellShock exploited in the wild: kernel exploit with CnC component: https://gist.github.com/anonymous/929d622f3b36b00c0be1
1) it is a major bug, there are many proofs of concept, including through dhclient and through crafting headers in GETs that are passed to programs through cgi (I think that the ktorrent remote web administration interface seems like the type of thing that would be vulnerable - I haven't tested yet, just cut it off from the open web.)
2) The patch doesn't work.
3) Exploits are in the wild, right now.
Everything you need to know about the Shellshock Bash bug: http://www.troyhunt.com/2014/09/everyth ... about.html
CVE-2014-7169: Bash Fix Incomplete, Still Exploitable: http://seclists.org/oss-sec/2014/q3/685
Bash 'shellshock' bug is wormable: http://blog.erratasec.com/2014/09/bash- ... mable.html
ShellShock exploited in the wild: kernel exploit with CnC component: https://gist.github.com/anonymous/929d622f3b36b00c0be1
Re: Recent bash vulnerability and patch questions
In SSH I think it's a matter of executing a command similar to the test one. According to RedHat one can bypass the SSH command restrictions this way. Of course, someone would have to login first, so 'duh!'.linx255 wrote:Yeah, that's the first thing I thought. How would they even get code on there in the first place? Lol. If it's just a matter of keeping unauthorized users from accessing your root-enabled machine, well, that's nothing new for sure. They made it sound like your server could be attacked out of the blue without gaining authentication, which made no sense.Else how will you get a script on your system without knowing it when that script cannot bypass the root/right management system?...
Another crappy story that has been blown up out of proportion....
The httpd exploit has something to do with cgi scripts, so that's beyond me.
Anyway, no known exploits exist, and the only poeple who should be worried are most likely not on this forum, or have anything to do with Mint for that matter...
Re: What's this about bash?
pessimizer wrote: 1) it is a major bug, there are many proofs of concept, including through dhclient and through crafting headers in GETs that are passed to programs through cgi (I think that the ktorrent remote web administration interface seems like the type of thing that would be vulnerable - I haven't tested yet, just cut it off from the open web.)
2) The patch doesn't work.
3) Exploits are in the wild, right now.