Menu
▾
▴
Re: [Devil-Linux-discuss] Shell shock bash fix
|
From: Dominic R. <do...@ti...> - 2014-10-02 05:35:07
|
> It seems that they keep finding issues in bash right now, so we'll > gotta keep an eye on that for a bit. You were not wrong! DL testing is still vulnerable to CVE-2014-7186 and CVE-2014-7187 - tests at http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) patches for bash 4.2 to fix this are at http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. Off topic sorry, but since we are looking to a new release of DL: 1. I have had a problem for the last year or two that I cannot get any of my USB drives to boot DL, instead I have to boot via CD/DVD (which I admit has some security advantages). I have assumed this is something to do with my motherboard/BIOS settings (though I have tweaked these without success), but I wondered if anyone else has had the same difficulties? I have tried with both Syslinux and Grub boot loaders. 2. If I boot from CD/DVD the CD/DVD drive remains physically locked even if I have chosen to load and run the system from RAM - i.e. the eject button on the drive does not work. Is this by design? It certainly makes upgrading more of a faff, because I can only change the disk after the machine reboots, and then the machine usually has to be physically rebooted again to get the new disk to boot. Dominic On 30/09/2014 19:35, Dominic Raferd wrote: > Seems good. Many thanks. > > root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; > echo vulnerable' bash -c "echo test" > test > root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo > date"; cat /tmp/echo > date > cat: /tmp/echo: No such file or directory > > On 30/09/2014 16:14, Heiko Zuerker wrote: >> The compile finished successfully last night and I'm uploading into >> the testing folder right now. >> It'll take a couple hours for it to complete. >> >> Please test and let me know if you confirm that the bug is resolved. >> It seems that they keep finding issues in bash right now, so we'll >> gotta keep an eye on that for a bit. >> >> Heiko >> >> Quoting Heiko Zuerker <he...@zu...>: >> >>> The latest patches are in CVS, we'll see how the compile tonight goes. >>> >>> Regards >>> Heiko Zuerker >>> >>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd <do...@ti...> wrote: >>>> >>>> Hope you had a good break Heiko! >>>> >>>> For DL, I haven't seen or heard of a patch, and >>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least >>>> in the meantime bash source has been better patched by those good redhat >>>> people >>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/... >>>> >>>> Dominic >>>> >>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>> I just came back from vacation. I assume nobody worked on the patch yet? >>>>> >>>>> Heiko >>>>> >>>>> Quoting Dominic Raferd <do...@ti...>: >>>>> >>>>>> Would be grateful if someone could fix DL's bash for the shell shock bug >>>>>> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>> Andrzej, Heiko, anyone? >>>>>> >>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, >>>>>> Linux 3.2.56) >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>>>>> >>>>>> _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> >>>> ------------------------------------------------------------------------------ >>>> Slashdot TV. Videos for Nerds. Stuff that Matters. >>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> ------------------------------------------------------------------------------ >>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
