Hey flag wavers--compare that with your "patch Tuesday"It's been patched by almost all major Linux groups, by now.
- in all cases, even before it had hit the news-wire services.
and with your anti-virus definition update and detection abilities.
Hey flag wavers--compare that with your "patch Tuesday"It's been patched by almost all major Linux groups, by now.
- in all cases, even before it had hit the news-wire services.
that update does Not work for LMDE:davparker wrote:update may not be enough, you might night to upgrade bash
To test for vulnerability, try this:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If it reports vulnerable, upgrade/patch like this:
sudo apt-get update && sudo apt-get install --only-upgrade bash
Close your shell, then test again
Overconfidence suits no one. It is an Achilles heel.
Probably not, but I think there will be some. It's easy to imagine there will be some vulnerable router somewhere with a web based administration tool using cgi scripts, and with bash installed on the router.linx255 wrote:Would a typical router from an ISP be likely to have bash running on it?
Basically that means, once you compromise a dhcp server, you can pretty much own any unpatched machine on that network.Replace the portion of the string “echo ‘foo'” with whatever command you want the client to execute. Keep in mind most clients will run dhcp hook scripts as root, but may not have a full environment defined in terms of PATH variables etc.
Yes, it turns out there are still a ton of scripts which use bash. I did a quick search with grep and found 120 files beginning "#!/bin/bash" in /usr alone. Even in /bin, there are programs like gunzip, zgrep, and uncompress that are actually bash scripts. So much for that idea, it seems it likely really can't be removed without causing serious headaches.linx255 wrote: Not technically essential, but all my automation scripts depend on bash, and they don't work with dash, so my default is set to /bin/bash.
Agree. Very pleased this has been fixed quickly, but it really is a major vulnerability.linx255 wrote:Even though it's patched and I'm probably not affected, I still needed to investigate.
Ubuntu had published the patched bash versions for Ubuntu 12.04 (Mint 13) and Ubuntu 14.04 (Mint 17) even before you asked. This means, provided you are accepting the default safety levels in mintupdate, [1], [2] and [3], the patched bash should have been offered for installation you to already. All you have to do is click on the shield icon and click on [Install] in the update manager application window.sherbert wrote:It seems that a new bash is available to patch for it. Will this be made available to Mint users, please?
Those are already in Linux Mint 13 and 17; see the changelogs linked to in the first post in this topic.karlchen wrote:Now I will have to watch out for the bash patches fixing CVE-2014-7169, instead.
Yep. Only many more others kept secret and unpatchedkarlchen wrote:I'm glad I'm typing this from Windows 7 SP1: no bash vulnerabilities here
True, by today. It all depends on when exactly I received the bash updates on Ubuntu 12.04.5, Mint13, Mint 17 and Ubuntu 14.04.1.xenopeek wrote:Those are already in Linux Mint 13 and 17; see the changelogs linked to in the first post in this topic.Now I will have to watch out for the bash patches fixing CVE-2014-7169, instead.
Code: Select all
[13:13:14] Warning: The file properties have changed:
[13:13:14] File: /bin/bash
[13:13:14] Current hash: ac1ddc9c4283f5bb8db64c2e5771eeb44803399f
[13:13:14] Stored hash : 966672a53bec6b0e43137e187d9bc5dce05d8443
[13:13:14] Current inode: 135666 Stored inode: 147738
[13:13:15] Current file modification time: 1411695948 (26-Sep-2014 03:45:48)
[13:13:15] Stored file modification time : 1398292992 (24-Apr-2014 00:43:12)
Code: Select all
Ubuntu 12.04.5 x64 - Mint 13 x64
==================================
bash (4.2-2ubuntu2.3) precise-security; urgency=medium
* SECURITY UPDATE: incomplete fix for CVE-2014-6271
- debian/patches/CVE-2014-7169.diff: fix logic in bash/parse.y.
- CVE-2014-7169
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 25 Sep 2014 02:11:10 -0400
[22:58:04] Warning: The file properties have changed:
[22:58:04] File: /bin/bash
[22:58:04] Current hash: 4e5d726270d6a129bf6e7a03798303d80246e56c
[22:58:04] Stored hash : 9eeed02173db163b013933eff3b8c6aa3697f67f
[22:58:04] Current inode: 1048653 Stored inode: 1048613
[22:58:04] Current file modification time: 1411627847 (25-Sep-2014 08:50:47)
[22:58:04] Stored file modification time : 1411418372 (22-Sep-2014 22:39:32)
Code: Select all
apt-get install bash