Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Remote exploit vulnerability in bash

Here you can discuss every aspect of Debian. Note: not for support requests!
Message
Author

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Remote exploit vulnerability in bash

#2 Post by kedaha »

Thanks for your post; I see at dsa-3032:
For the stable distribution (wheezy), this problem has been fixed in version 4.2+dfsg-0.1+deb7u1.
So I've updated server and desktop immediately.

Code: Select all

# aptitude dist-upgrade
The following packages will be upgraded: 
  apt apt-utils bash libapt-inst1.5 libapt-pkg4.12
Fixed.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2029
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 139 times
Been thanked: 206 times

Re: Remote exploit vulnerability in bash

#3 Post by Hallvor »

Thank you.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Remote exploit vulnerability in bash

#4 Post by kedaha »

I see it's been called the "Shell Shock Bug". And the the news media are making quite a meal out of it.
Anyway, just in case: DashAsBinSh. 8)
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.



User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Remote exploit vulnerability in bash

#7 Post by dasein »

Sometimes the obvious fix isn't actually, well, you know... a fix.

http://arstechnica.com/security/2014/09 ... first-fix/

User avatar
Spock
Posts: 49
Joined: 2012-01-03 13:20
Location: Québec, QC, CA

Re: Remote exploit vulnerability in bash

#8 Post by Spock »

Using Debian Jessie oldstable

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Remote exploit vulnerability in bash

#9 Post by kedaha »

My server's configured to use dash:

Code: Select all

$ apt-cache policy dash
dash:
  Installed: 0.5.7-3
Out of curiosity, I simulated (since curiosity killed the cat) removing bash and got:

Code: Select all

$ aptitude remove -s bash
The following packages will be REMOVED:  
  bash 
0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 3,739 kB will be freed.
The following ESSENTIAL packages will be REMOVED!
  bash 

WARNING: Performing this action will probably cause your system to break!
         Do NOT continue unless you know EXACTLY what you are doing!
To continue, type the phrase "I am aware that this is a very bad idea":
I am aware that this is a very bad idea
Would download/install/remove packages.
I have no intention of removing bash but, I just wondered if this might also be "a very bad idea" when the system has been reconfigured to use dash as the default system shell. My guess is that it could be removed providing essential dependences didn't get removed with it.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

User avatar
micksulley
Posts: 61
Joined: 2012-09-06 12:20

Re: Remote exploit vulnerability in bash

#10 Post by micksulley »

How do I fix this????

My version is
Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3

I have run
apt-get update
apt-get upgrade
and it tells me everything is up to date but running the test I get

mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test

Advise please????

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Remote exploit vulnerability in bash

#11 Post by n_hologram »

have you tried:

# apt-get dist-upgrade
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
micksulley
Posts: 61
Joined: 2012-09-06 12:20

Re: Remote exploit vulnerability in bash

#12 Post by micksulley »

Yes I tried that and it didn't work -

Code: Select all

mick@mick-deb-laptop:~$ sudo apt-get dist-upgrade
[sudo] password for mick: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
mick@mick-deb-laptop:~$ 
mick@mick-deb-laptop:~$ 
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
mick@mick-deb-laptop:~$ 


Bulkley
Posts: 6383
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

Re: Remote exploit vulnerability in bash

#13 Post by Bulkley »

micksulley wrote: mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test

Advise please????
Show us your sources.

User avatar
micksulley
Posts: 61
Joined: 2012-09-06 12:20

Re: Remote exploit vulnerability in bash

#14 Post by micksulley »

deb http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
deb http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb http://ftp.uk.debian.org/debian/ wheezy main non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy main non-free
deb http://www.deb-multimedia.org/ wheezy main non-free
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Remote exploit vulnerability in bash

#15 Post by dasein »

Repo mixing and matching doesn't work across stable versions, either.

If you've been running Debian for two years, then it's probably time to learn the basics of Debian releases and repositories.

https://www.debian.org/releases/
https://wiki.debian.org/SourcesList

User avatar
micksulley
Posts: 61
Joined: 2012-09-06 12:20

Re: Remote exploit vulnerability in bash

#16 Post by micksulley »

I added the squeeze-lts today as it was suggested in a thread I found as a supposed fix for this. I have just removed them again and it still does not work.

Code: Select all

mick@mick-deb-laptop:~$ sudo apt-get dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
mick@mick-deb-laptop:~$ 
source is now

deb http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
deb http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb http://ftp.uk.debian.org/debian/ wheezy main non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy main non-free
deb http://www.deb-multimedia.org/ wheezy main non-free
# deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
# deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

teeitup
Posts: 25
Joined: 2009-03-09 19:22

Re: Remote exploit vulnerability in bash

#17 Post by teeitup »

What version of bash is actually installed?

Your sources list has a duplicate repository with a more restrictive component list.

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2029
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 139 times
Been thanked: 206 times

Re: Remote exploit vulnerability in bash

#18 Post by Hallvor »

micksulley: What is the point of hijacking this thread? This is general discussion.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

User avatar
micksulley
Posts: 61
Joined: 2012-09-06 12:20

Re: Remote exploit vulnerability in bash

#19 Post by micksulley »

teeitup wrote:What version of bash is actually installed?

Your sources list has a duplicate repository with a more restrictive component list.
Bash version is 4.2.37(1)-release (x86_64-pc-linux-gnu)


Sorry I don't understand your comment about a more restrictive component list, which one should I remove?

Thanks
Mick

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Remote exploit vulnerability in bash

#20 Post by kedaha »

@micksulley: By the way, you should definitely include security in your SourcesList:

Code: Select all

deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

Post Reply