Main Edition: BASH vulnerability a.k.a. 'Shellshock'

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.Please do not add support questions to threads here,use the appropriate support forum instead
User avatar
eanfrid
Level 7
Level 7
Posts: 1856
Joined: Mon Apr 30, 2012 2:49 am
Location: FR

Re: Shell Shock vulnerability

Post by eanfrid »

Looks like you are running an unsupported LM release. LM13 and LM17 already provide patched versions.
Main desktop: Debian GNU/Linux Jessie 64bit - MATE
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
Safer than Dropbox
nomko

Re: Recent bash vulnerability and patch questions

Post by nomko »

Already asked and answered:

http://forum.linuxmint.com/viewtopic.php?f=200&t=178897
http://forum.linuxmint.com/viewtopic.php?f=6&t=178925


Next time, please search the forum first for related topics before posting the same question/issue/problem again.
User avatar
eanfrid
Level 7
Level 7
Posts: 1856
Joined: Mon Apr 30, 2012 2:49 am
Location: FR

Re: Recent bash vulnerability and patch questions

Post by eanfrid »

Debian and Ubuntu use /bin/sh, symlinked to /bin/dash (not bash) for system scripts. Unless you use user/custom or alternate system scripts using /bin/bash, you were not much at risk. I don't think SELinux would actually be useful there. It is overrated regarding this kind of threats.
Main desktop: Debian GNU/Linux Jessie 64bit - MATE
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
Safer than Dropbox
jonniosaurus
Level 1
Level 1
Posts: 6
Joined: Wed May 14, 2014 4:21 am

Re: Shell Shock vulnerability

Post by jonniosaurus »

I'm on 16
User avatar
eanfrid
Level 7
Level 7
Posts: 1856
Joined: Mon Apr 30, 2012 2:49 am
Location: FR

Re: Shell Shock vulnerability

Post by eanfrid »

Then you will never again get bug fixes or security updates...
http://forums.linuxmint.com/viewtopic.p ... 3&t=173378
Main desktop: Debian GNU/Linux Jessie 64bit - MATE
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
Safer than Dropbox
User avatar
linx255
Level 5
Level 5
Posts: 682
Joined: Mon Mar 17, 2014 12:43 am

Re: Recent bash vulnerability and patch questions

Post by linx255 »

@nomko: I don't think you read my post. My questions were not answered on those links which I already visited prior to posting. Yes, I know it has already been patched... My questions remain.

@eanfrid: I use /bin/bash for all my scripts, never dash. I have switched from dash to bash because I like its functionality and speed doesn't matter.

Even though it has been patched I like to know more about the topic than what I've seen on forums and news articles so far, and my questions are about the past, now what is now. Best!
- I'm running Mint 18 Mate 64-bit
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash
nomko

Re: Recent bash vulnerability and patch questions

Post by nomko »

Just read 1 or 2 things about this so-called "vulnerability". Just read 1 or 2 things about this so-called "vulnerability". IMHO this is a minor issue blown up to unscalable proportions.

First thing:
It looks like it is written by somebody who does not understand the functioning and essence of a UNIX system. He writes about bash like it is a Linux/Apple issue, but it is not. It's about bash as an application that does not run only on Linux or Apple, but on many more systems.

Secondly, this so-called threat isn't a threat like some Windows virus. This is a application leak which can only be harmfull under your own account. Nevertheless anyone must first gain access to that account and deliberate and knowingly download such script and run it. And after running that script, it will only harm your account and not the entire installation.
This issue is especially dangerous as there are many possible ways Bash can be called by an application
Yes, there are many ways: php, perl and many other script languages.
could leave systems running those operating systems open to exploitation by specially crafted attacks
Special scripts which needs to be downloaded delibratly and knowingly. Else how will you get a script on your system without knowing it when that script cannot bypass the root/right management system?

Another crappy story that has been blown up out of proportion....
ithoughtyouhadit
Level 1
Level 1
Posts: 2
Joined: Thu Sep 25, 2014 8:01 am

Shellshock bug in BASH . . . [Solved]

Post by ithoughtyouhadit »

Well this is embarrassing, what am I supposed to tell my friends?
I've been telling them how perfect it is and how it's almost immune to viruses.

http://www.bbc.co.uk/news/technology-29361794
Last edited by ithoughtyouhadit on Thu Sep 25, 2014 8:36 am, edited 2 times in total.
1.618
Level 5
Level 5
Posts: 588
Joined: Fri Jun 06, 2014 9:22 am
Location: Surfing a multidimensional wave of celestial intent
Contact:

Re: Shellshock bug in BASH . . .

Post by 1.618 »

1.618
Level 5
Level 5
Posts: 588
Joined: Fri Jun 06, 2014 9:22 am
Location: Surfing a multidimensional wave of celestial intent
Contact:

Re: Shellshock bug in BASH . . .

Post by 1.618 »

Well according to this the issue can be corrected

http://www.ubuntu.com/usn/usn-2362-1/
ktheking
Level 4
Level 4
Posts: 430
Joined: Tue May 13, 2014 9:13 am

Re: Shell Shock vulnerability

Post by ktheking »

LM13 and LM17 already provide patched versions.
Where did you got this info ? I doubt it that's the case.
This is about this bug , no ? : http://www.csoonline.com/article/268726 ... -6271.html
ithoughtyouhadit
Level 1
Level 1
Posts: 2
Joined: Thu Sep 25, 2014 8:01 am

Re: Shellshock bug in BASH . . .

Post by ithoughtyouhadit »

Brilliant, I'll make sure I'm updated... thanks for that. :-)
User avatar
Pilosopong Tasyo
Level 6
Level 6
Posts: 1435
Joined: Mon Jun 22, 2009 3:26 am
Location: Philippines

Re: Shellshock bug in BASH . . .

Post by Pilosopong Tasyo »

ithoughtyouhadit wrote:Well this is embarrassing, what am I supposed to tell my friends?
Tell them it's already patched up. All they have to do is install security updates from their update manager. :wink:

I have a gut feeling fear-mongers will blow this issue out of proportion in the next several days. The patch has already been issued hours ago. I wonder if these tech/news/blog sites are going to report about the patch instead of feasting on this media circus. :lol:
o Give a man a fish and he will eat for a day. Teach him how to fish and he will eat for a lifetime!
o If an issue has been fixed, please edit your first post and add the word [SOLVED].
User avatar
eanfrid
Level 7
Level 7
Posts: 1856
Joined: Mon Apr 30, 2012 2:49 am
Location: FR

Re: Shell Shock vulnerability

Post by eanfrid »

For LM17: v 4.3-7ubuntu1.1
721204ae4641ed.png
For LM13: v 4.2-2ubuntu2.2
683191d40594d6.png
Main desktop: Debian GNU/Linux Jessie 64bit - MATE
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
Safer than Dropbox
Habitual
Level 13
Level 13
Posts: 4863
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: Shellshock bug in BASH . . . [Solved]

Post by Habitual »

ithoughtyouhadit wrote:I've been telling them how perfect it is and how it's almost immune to viruses.
It's not a virus.
Linux is NOT immune to vulnerabilities, then you tell them the difference between a virus and a vulnerability.
Then tell them how they didn't have to wait for "Patch Tuesday" to get a fix.
Makes you look smart. ;)
User avatar
linx255
Level 5
Level 5
Posts: 682
Joined: Mon Mar 17, 2014 12:43 am

Re: Recent bash vulnerability and patch questions

Post by linx255 »

Else how will you get a script on your system without knowing it when that script cannot bypass the root/right management system?...
Another crappy story that has been blown up out of proportion....
Yeah, that's the first thing I thought. How would they even get code on there in the first place? Lol. If it's just a matter of keeping unauthorized users from accessing your root-enabled machine, well, that's nothing new for sure. They made it sound like your server could be attacked out of the blue without gaining authentication, which made no sense.
- I'm running Mint 18 Mate 64-bit
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash
User avatar
karlchen
Level 21
Level 21
Posts: 13302
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: What's this about bash?

Post by karlchen »

[Info]
Mint 13 - Updates received today

Code: Select all

bash (4.2-2ubuntu2.2) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect function parsing
    - debian/patches/CVE-2014-6271.diff: fix function parsing in
      bash/builtins/common.h, bash/builtins/evalstring.c, bash/variables.c.
    - CVE-2014-6271

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 22 Sep 2014 15:31:07 -0400

Code: Select all

Commit Log for Thu Sep 25 16:37:56 2014
The following packages have been updated:
bash (4.2-2ubuntu2.1) to 4.2-2ubuntu2.2
libnss3 (3.17-0ubuntu0.12.04.1) to 3.17.1-0ubuntu0.12.04.1
libnss3-1d (3.17-0ubuntu0.12.04.1) to 3.17.1-0ubuntu0.12.04.1
I know I received the correpsonding bash update for Mint 17 last night. Cannot post the software package changelog at this point in time because I am sitting front of my Mint 13 office machine.

Don't panic. Update. Be happy.

Karl
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
Haß gleicht einer Krankheit, dem Miserere, wo man vorne herausgibt, was eigentlich hinten wegsollte. (Goethe)
pessimizer
Level 1
Level 1
Posts: 2
Joined: Thu Sep 25, 2014 10:49 am

Re: What's this about bash?

Post by pessimizer »

Just to update on this:

1) it is a major bug, there are many proofs of concept, including through dhclient and through crafting headers in GETs that are passed to programs through cgi (I think that the ktorrent remote web administration interface seems like the type of thing that would be vulnerable - I haven't tested yet, just cut it off from the open web.)

2) The patch doesn't work.

3) Exploits are in the wild, right now.

Everything you need to know about the Shellshock Bash bug: http://www.troyhunt.com/2014/09/everyth ... about.html
CVE-2014-7169: Bash Fix Incomplete, Still Exploitable: http://seclists.org/oss-sec/2014/q3/685
Bash 'shellshock' bug is wormable: http://blog.erratasec.com/2014/09/bash- ... mable.html
ShellShock exploited in the wild: kernel exploit with CnC component: https://gist.github.com/anonymous/929d622f3b36b00c0be1
niowluka
Level 5
Level 5
Posts: 729
Joined: Tue May 27, 2014 6:28 pm
Location: Krakow, Poland

Re: Recent bash vulnerability and patch questions

Post by niowluka »

linx255 wrote:
Else how will you get a script on your system without knowing it when that script cannot bypass the root/right management system?...
Another crappy story that has been blown up out of proportion....
Yeah, that's the first thing I thought. How would they even get code on there in the first place? Lol. If it's just a matter of keeping unauthorized users from accessing your root-enabled machine, well, that's nothing new for sure. They made it sound like your server could be attacked out of the blue without gaining authentication, which made no sense.
In SSH I think it's a matter of executing a command similar to the test one. According to RedHat one can bypass the SSH command restrictions this way. Of course, someone would have to login first, so 'duh!'.

The httpd exploit has something to do with cgi scripts, so that's beyond me.

Anyway, no known exploits exist, and the only poeple who should be worried are most likely not on this forum, or have anything to do with Mint for that matter...
Mint 17 Openbox (MATE) 64bit | Linux 4.1.6 (Vanilla)

Gigabyte GA-880GA-UD3H | AMD Phenom II X4 965 3.4Ghz | G.Skill 8GB DDR3-1600 RipjawsX, F3-12800CL8D-8GBXM | MSI R7 260X 2048 MB GDDR5 OC
niowluka
Level 5
Level 5
Posts: 729
Joined: Tue May 27, 2014 6:28 pm
Location: Krakow, Poland

Re: What's this about bash?

Post by niowluka »

pessimizer wrote: 1) it is a major bug, there are many proofs of concept, including through dhclient and through crafting headers in GETs that are passed to programs through cgi (I think that the ktorrent remote web administration interface seems like the type of thing that would be vulnerable - I haven't tested yet, just cut it off from the open web.)

2) The patch doesn't work.

3) Exploits are in the wild, right now.
:lol:
Mint 17 Openbox (MATE) 64bit | Linux 4.1.6 (Vanilla)

Gigabyte GA-880GA-UD3H | AMD Phenom II X4 965 3.4Ghz | G.Skill 8GB DDR3-1600 RipjawsX, F3-12800CL8D-8GBXM | MSI R7 260X 2048 MB GDDR5 OC
Post Reply

Return to “Releases & Announcements”