Remote exploit vulnerability in bash

Here you can discuss every aspect of Debian. Note: not for support requests!

Re: Remote exploit vulnerability in bash

Postby kedaha » 2014-09-24 20:33

Thanks for your post; I see at dsa-3032:
For the stable distribution (wheezy), this problem has been fixed in version 4.2+dfsg-0.1+deb7u1.

So I've updated server and desktop immediately.
Code: Select all
# aptitude dist-upgrade
The following packages will be upgraded:
  apt apt-utils bash libapt-inst1.5 libapt-pkg4.12

Fixed.
Mate DE & OSSv4.
FreedomBox in Debian
ispmail
Debian Stable

Words, as is well known, are the great foes of reality. Joseph Conrad.
Kedaha's Conjecture
User avatar
kedaha
 
Posts: 3012
Joined: 2008-05-24 12:26

Re: Remote exploit vulnerability in bash

Postby Hallvor » 2014-09-24 20:49

Thank you.
Lenovo Thinkpad T440S, Intel Core i7-4600U CPU @ 2.10GHz, 8 GB RAM, 256 GB SSD, Debian Buster (KDE)
User avatar
Hallvor
 
Posts: 947
Joined: 2009-04-16 18:35
Location: Norway

Re: Remote exploit vulnerability in bash

Postby kedaha » 2014-09-25 22:06

I see it's been called the "Shell Shock Bug". And the the news media are making quite a meal out of it.
Anyway, just in case: DashAsBinSh. 8)
Mate DE & OSSv4.
FreedomBox in Debian
ispmail
Debian Stable

Words, as is well known, are the great foes of reality. Joseph Conrad.
Kedaha's Conjecture
User avatar
kedaha
 
Posts: 3012
Joined: 2008-05-24 12:26

Re: Remote exploit vulnerability in bash

Postby Spock » 2014-09-26 02:47

Using Debian Jessie oldstable
User avatar
Spock
 
Posts: 49
Joined: 2012-01-03 13:20
Location: Québec, QC, CA


Re: Remote exploit vulnerability in bash

Postby dasein » 2014-09-26 21:37

Sometimes the obvious fix isn't actually, well, you know... a fix.

http://arstechnica.com/security/2014/09 ... first-fix/
User avatar
dasein
 
Posts: 7775
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Remote exploit vulnerability in bash

Postby Spock » 2014-09-27 01:39

Using Debian Jessie oldstable
User avatar
Spock
 
Posts: 49
Joined: 2012-01-03 13:20
Location: Québec, QC, CA

Re: Remote exploit vulnerability in bash

Postby kedaha » 2014-09-27 06:36

My server's configured to use dash:
Code: Select all
$ apt-cache policy dash
dash:
  Installed: 0.5.7-3

Out of curiosity, I simulated (since curiosity killed the cat) removing bash and got:
Code: Select all
$ aptitude remove -s bash
The following packages will be REMOVED: 
  bash
0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 3,739 kB will be freed.
The following ESSENTIAL packages will be REMOVED!
  bash

WARNING: Performing this action will probably cause your system to break!
         Do NOT continue unless you know EXACTLY what you are doing!
To continue, type the phrase "I am aware that this is a very bad idea":
I am aware that this is a very bad idea
Would download/install/remove packages.

I have no intention of removing bash but, I just wondered if this might also be "a very bad idea" when the system has been reconfigured to use dash as the default system shell. My guess is that it could be removed providing essential dependences didn't get removed with it.
Mate DE & OSSv4.
FreedomBox in Debian
ispmail
Debian Stable

Words, as is well known, are the great foes of reality. Joseph Conrad.
Kedaha's Conjecture
User avatar
kedaha
 
Posts: 3012
Joined: 2008-05-24 12:26

Re: Remote exploit vulnerability in bash

Postby micksulley » 2014-09-27 13:04

How do I fix this????

My version is
Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3

I have run
apt-get update
apt-get upgrade
and it tells me everything is up to date but running the test I get

mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test

Advise please????
User avatar
micksulley
 
Posts: 61
Joined: 2012-09-06 12:20

Re: Remote exploit vulnerability in bash

Postby n_hologram » 2014-09-27 13:40

have you tried:

# apt-get dist-upgrade
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 453
Joined: 2013-06-16 00:10

Re: Remote exploit vulnerability in bash

Postby micksulley » 2014-09-27 15:53

Yes I tried that and it didn't work -

Code: Select all
mick@mick-deb-laptop:~$ sudo apt-get dist-upgrade
[sudo] password for mick:
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
mick@mick-deb-laptop:~$
mick@mick-deb-laptop:~$
mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
mick@mick-deb-laptop:~$

User avatar
micksulley
 
Posts: 61
Joined: 2012-09-06 12:20

Re: Remote exploit vulnerability in bash

Postby Bulkley » 2014-09-27 16:11

micksulley wrote:mick@mick-deb-laptop:~$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test

Advise please????


Show us your sources.
Bulkley
 
Posts: 5845
Joined: 2006-02-11 18:35

Re: Remote exploit vulnerability in bash

Postby micksulley » 2014-09-27 16:38

deb http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
deb http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy-updates main contrib non-free
deb http://ftp.uk.debian.org/debian/ wheezy main non-free
deb-src http://ftp.uk.debian.org/debian/ wheezy main non-free
deb http://www.deb-multimedia.org/ wheezy main non-free
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
User avatar
micksulley
 
Posts: 61
Joined: 2012-09-06 12:20

Re: Remote exploit vulnerability in bash

Postby dasein » 2014-09-27 16:46

Repo mixing and matching doesn't work across stable versions, either.

If you've been running Debian for two years, then it's probably time to learn the basics of Debian releases and repositories.

https://www.debian.org/releases/
https://wiki.debian.org/SourcesList
User avatar
dasein
 
Posts: 7775
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Next

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable