Page 1 of 2
Remote exploit vulnerability in bash
Posted: 2014-09-24 19:00
by dasein
Re: Remote exploit vulnerability in bash
Posted: 2014-09-24 20:33
by kedaha
Thanks for your post; I see at
dsa-3032:
For the stable distribution (wheezy), this problem has been fixed in version 4.2+dfsg-0.1+deb7u1.
So I've updated server and desktop immediately.
Code: Select all
# aptitude dist-upgrade
The following packages will be upgraded:
apt apt-utils bash libapt-inst1.5 libapt-pkg4.12
Fixed.
Re: Remote exploit vulnerability in bash
Posted: 2014-09-24 20:49
by Hallvor
Thank you.
Re: Remote exploit vulnerability in bash
Posted: 2014-09-25 22:06
by kedaha
I see it's been called the
"Shell Shock Bug". And the the news media are making quite a meal out of it.
Anyway, just in case:
DashAsBinSh.
Re: Remote exploit vulnerability in bash
Posted: 2014-09-26 02:47
by Spock
Re: Remote exploit vulnerability in bash
Posted: 2014-09-26 15:38
by dasein
Re: Remote exploit vulnerability in bash
Posted: 2014-09-26 21:37
by dasein
Sometimes the obvious fix isn't actually, well, you know... a fix.
http://arstechnica.com/security/2014/09 ... first-fix/
Re: Remote exploit vulnerability in bash
Posted: 2014-09-27 01:39
by Spock
Re: Remote exploit vulnerability in bash
Posted: 2014-09-27 06:36
by kedaha
My server's configured to use dash:
Code: Select all
$ apt-cache policy dash
dash:
Installed: 0.5.7-3
Out of curiosity, I
simulated (since curiosity killed the cat) removing bash and got:
Code: Select all
$ aptitude remove -s bash
The following packages will be REMOVED:
bash
0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 3,739 kB will be freed.
The following ESSENTIAL packages will be REMOVED!
bash
WARNING: Performing this action will probably cause your system to break!
Do NOT continue unless you know EXACTLY what you are doing!
To continue, type the phrase "I am aware that this is a very bad idea":
I am aware that this is a very bad idea
Would download/install/remove packages.
I have no intention of removing bash but, I just wondered if this might also be "a very bad idea" when the system has been reconfigured to use dash as the default system shell. My guess is that it could be removed providing essential dependences didn't get removed with it.
Re: Remote exploit vulnerability in bash
Posted: 2014-09-27 13:04
by micksulley
How do I fix this????
My version is
Linux version 3.2.0-4-amd64 (
debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3
I have run
apt-get update
apt-get upgrade
and it tells me everything is up to date but running the test I get
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
Advise please????
Re: Remote exploit vulnerability in bash
Posted: 2014-09-27 13:40
by n_hologram
have you tried:
# apt-get dist-upgrade
Re: Remote exploit vulnerability in bash
Posted: 2014-09-27 15:53
by micksulley
Yes I tried that and it didn't work -
Code: Select all
mick@mick-deb-laptop:~$ sudo apt-get dist-upgrade
[sudo] password for mick:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
mick@mick-deb-laptop:~$
mick@mick-deb-laptop:~$
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
mick@mick-deb-laptop:~$
Re: Remote exploit vulnerability in bash
Posted: 2014-09-27 16:11
by Bulkley
micksulley wrote:
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
Advise please????
Show us your sources.
Re: Remote exploit vulnerability in bash
Posted: 2014-09-27 16:38
by micksulley
deb
http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
deb
http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb-src
http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb
http://ftp.uk.debian.org/debian/ wheezy main non-free
deb-src
http://ftp.uk.debian.org/debian/ wheezy main non-free
deb
http://www.deb-multimedia.org/ wheezy main non-free
deb
http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src
http://http.debian.net/debian/ squeeze-lts main contrib non-free
Re: Remote exploit vulnerability in bash
Posted: 2014-09-27 16:46
by dasein
Repo mixing and matching doesn't work across stable versions, either.
If you've been running Debian for two years, then it's probably time to learn the basics of Debian releases and repositories.
https://www.debian.org/releases/
https://wiki.debian.org/SourcesList
Re: Remote exploit vulnerability in bash
Posted: 2014-09-27 18:01
by micksulley
I added the squeeze-lts today as it was suggested in a thread I found as a supposed fix for this. I have just removed them again and it still does not work.
Code: Select all
mick@mick-deb-laptop:~$ sudo apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
mick@mick-deb-laptop:~$
source is now
deb
http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
deb
http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb-src
http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb
http://ftp.uk.debian.org/debian/ wheezy main non-free
deb-src
http://ftp.uk.debian.org/debian/ wheezy main non-free
deb
http://www.deb-multimedia.org/ wheezy main non-free
# deb
http://http.debian.net/debian/ squeeze-lts main contrib non-free
# deb-src
http://http.debian.net/debian/ squeeze-lts main contrib non-free
Re: Remote exploit vulnerability in bash
Posted: 2014-09-28 06:37
by teeitup
What version of bash is actually installed?
Your sources list has a duplicate repository with a more restrictive component list.
Re: Remote exploit vulnerability in bash
Posted: 2014-09-28 08:21
by Hallvor
micksulley: What is the point of hijacking this thread? This is general discussion.
Re: Remote exploit vulnerability in bash
Posted: 2014-09-28 08:45
by micksulley
teeitup wrote:What version of bash is actually installed?
Your sources list has a duplicate repository with a more restrictive component list.
Bash version is 4.2.37(1)-release (x86_64-pc-linux-gnu)
Sorry I don't understand your comment about a more restrictive component list, which one should I remove?
Thanks
Mick
Re: Remote exploit vulnerability in bash
Posted: 2014-09-28 10:37
by kedaha
@micksulley: By the way, you should definitely include security in your
SourcesList:
Code: Select all
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free