Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Remote exploit vulnerability in bash
Re: Remote exploit vulnerability in bash
Thanks for your post; I see at dsa-3032:
Fixed.
So I've updated server and desktop immediately.For the stable distribution (wheezy), this problem has been fixed in version 4.2+dfsg-0.1+deb7u1.
Code: Select all
# aptitude dist-upgrade
The following packages will be upgraded:
apt apt-utils bash libapt-inst1.5 libapt-pkg4.12
DebianStable
Code: Select all
$ vrms
No non-free or contrib packages installed on debian! rms would be proud.
- Hallvor
- Global Moderator
- Posts: 2044
- Joined: 2009-04-16 18:35
- Location: Kristiansand, Norway
- Has thanked: 151 times
- Been thanked: 212 times
Re: Remote exploit vulnerability in bash
Thank you.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD
Re: Remote exploit vulnerability in bash
I see it's been called the "Shell Shock Bug". And the the news media are making quite a meal out of it.
Anyway, just in case: DashAsBinSh.
Anyway, just in case: DashAsBinSh.
DebianStable
Code: Select all
$ vrms
No non-free or contrib packages installed on debian! rms would be proud.
Re: Remote exploit vulnerability in bash
Sometimes the obvious fix isn't actually, well, you know... a fix.
http://arstechnica.com/security/2014/09 ... first-fix/
http://arstechnica.com/security/2014/09 ... first-fix/
Re: Remote exploit vulnerability in bash
My server's configured to use dash:
Out of curiosity, I simulated (since curiosity killed the cat) removing bash and got:
I have no intention of removing bash but, I just wondered if this might also be "a very bad idea" when the system has been reconfigured to use dash as the default system shell. My guess is that it could be removed providing essential dependences didn't get removed with it.
Code: Select all
$ apt-cache policy dash
dash:
Installed: 0.5.7-3
Code: Select all
$ aptitude remove -s bash
The following packages will be REMOVED:
bash
0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 3,739 kB will be freed.
The following ESSENTIAL packages will be REMOVED!
bash
WARNING: Performing this action will probably cause your system to break!
Do NOT continue unless you know EXACTLY what you are doing!
To continue, type the phrase "I am aware that this is a very bad idea":
I am aware that this is a very bad idea
Would download/install/remove packages.
DebianStable
Code: Select all
$ vrms
No non-free or contrib packages installed on debian! rms would be proud.
- micksulley
- Posts: 61
- Joined: 2012-09-06 12:20
Re: Remote exploit vulnerability in bash
How do I fix this????
My version is
Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3
I have run
apt-get update
apt-get upgrade
and it tells me everything is up to date but running the test I get
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
Advise please????
My version is
Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3
I have run
apt-get update
apt-get upgrade
and it tells me everything is up to date but running the test I get
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
Advise please????
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Remote exploit vulnerability in bash
have you tried:
# apt-get dist-upgrade
# apt-get dist-upgrade
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
- micksulley
- Posts: 61
- Joined: 2012-09-06 12:20
Re: Remote exploit vulnerability in bash
Yes I tried that and it didn't work -
Code: Select all
mick@mick-deb-laptop:~$ sudo apt-get dist-upgrade
[sudo] password for mick:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
mick@mick-deb-laptop:~$
mick@mick-deb-laptop:~$
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
mick@mick-deb-laptop:~$
Re: Remote exploit vulnerability in bash
Show us your sources.micksulley wrote: mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
Advise please????
- micksulley
- Posts: 61
- Joined: 2012-09-06 12:20
Re: Remote exploit vulnerability in bash
deb http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
deb http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb http://ftp.uk.debian.org/debian/ wheezy main non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy main non-free
deb http://www.deb-multimedia.org/ wheezy main non-free
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb http://ftp.uk.debian.org/debian/ wheezy main non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy main non-free
deb http://www.deb-multimedia.org/ wheezy main non-free
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
Re: Remote exploit vulnerability in bash
Repo mixing and matching doesn't work across stable versions, either.
If you've been running Debian for two years, then it's probably time to learn the basics of Debian releases and repositories.
https://www.debian.org/releases/
https://wiki.debian.org/SourcesList
If you've been running Debian for two years, then it's probably time to learn the basics of Debian releases and repositories.
https://www.debian.org/releases/
https://wiki.debian.org/SourcesList
- micksulley
- Posts: 61
- Joined: 2012-09-06 12:20
Re: Remote exploit vulnerability in bash
I added the squeeze-lts today as it was suggested in a thread I found as a supposed fix for this. I have just removed them again and it still does not work.
source is now
deb http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
deb http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb http://ftp.uk.debian.org/debian/ wheezy main non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy main non-free
deb http://www.deb-multimedia.org/ wheezy main non-free
# deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
# deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
Code: Select all
mick@mick-deb-laptop:~$ sudo apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
mick@mick-deb-laptop:~$
deb http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
deb http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb http://ftp.uk.debian.org/debian/ wheezy main non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy main non-free
deb http://www.deb-multimedia.org/ wheezy main non-free
# deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
# deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
Re: Remote exploit vulnerability in bash
What version of bash is actually installed?
Your sources list has a duplicate repository with a more restrictive component list.
Your sources list has a duplicate repository with a more restrictive component list.
- Hallvor
- Global Moderator
- Posts: 2044
- Joined: 2009-04-16 18:35
- Location: Kristiansand, Norway
- Has thanked: 151 times
- Been thanked: 212 times
Re: Remote exploit vulnerability in bash
micksulley: What is the point of hijacking this thread? This is general discussion.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD
- micksulley
- Posts: 61
- Joined: 2012-09-06 12:20
Re: Remote exploit vulnerability in bash
Bash version is 4.2.37(1)-release (x86_64-pc-linux-gnu)teeitup wrote:What version of bash is actually installed?
Your sources list has a duplicate repository with a more restrictive component list.
Sorry I don't understand your comment about a more restrictive component list, which one should I remove?
Thanks
Mick
Re: Remote exploit vulnerability in bash
@micksulley: By the way, you should definitely include security in your SourcesList:
Code: Select all
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free
DebianStable
Code: Select all
$ vrms
No non-free or contrib packages installed on debian! rms would be proud.