Menu
▾
▴
Re: [Devil-Linux-discuss] Shell shock bash fix
|
From: Heiko Z. <he...@zu...> - 2014-10-02 20:43:47
|
The latest patch is in CVS now. I'm booting my firewall from a USB stick and have no issues with it. I think there's one piece that prevents us from unmounting the disk completely. If I remember correctly, it's part of the initrd script if you want to dig around. Heiko Quoting Dominic Raferd <do...@ti...>: >> It seems that they keep finding issues in bash right now, so we'll >> gotta keep an eye on that for a bit. > > You were not wrong! DL testing is still vulnerable to CVE-2014-7186 and > CVE-2014-7187 - tests at > http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) > patches for bash 4.2 to fix this are at > http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. > > Off topic sorry, but since we are looking to a new release of DL: > > 1. I have had a problem for the last year or two that I cannot get any > of my USB drives to boot DL, instead I have to boot via CD/DVD (which I > admit has some security advantages). I have assumed this is something to > do with my motherboard/BIOS settings (though I have tweaked these > without success), but I wondered if anyone else has had the same > difficulties? I have tried with both Syslinux and Grub boot loaders. > > 2. If I boot from CD/DVD the CD/DVD drive remains physically locked even > if I have chosen to load and run the system from RAM - i.e. the eject > button on the drive does not work. Is this by design? It certainly makes > upgrading more of a faff, because I can only change the disk after the > machine reboots, and then the machine usually has to be physically > rebooted again to get the new disk to boot. > > Dominic > > On 30/09/2014 19:35, Dominic Raferd wrote: >> Seems good. Many thanks. >> >> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; >> echo vulnerable' bash -c "echo test" >> test >> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo >> date"; cat /tmp/echo >> date >> cat: /tmp/echo: No such file or directory >> >> On 30/09/2014 16:14, Heiko Zuerker wrote: >>> The compile finished successfully last night and I'm uploading into >>> the testing folder right now. >>> It'll take a couple hours for it to complete. >>> >>> Please test and let me know if you confirm that the bug is resolved. >>> It seems that they keep finding issues in bash right now, so we'll >>> gotta keep an eye on that for a bit. >>> >>> Heiko >>> >>> Quoting Heiko Zuerker <he...@zu...>: >>> >>>> The latest patches are in CVS, we'll see how the compile tonight goes. >>>> >>>> Regards >>>> Heiko Zuerker >>>> >>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>> <do...@ti...> wrote: >>>>> >>>>> Hope you had a good break Heiko! >>>>> >>>>> For DL, I haven't seen or heard of a patch, and >>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least >>>>> in the meantime bash source has been better patched by those good redhat >>>>> people >>>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/... >>>>> >>>>> Dominic >>>>> >>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>> I just came back from vacation. I assume nobody worked on the patch yet? >>>>>> >>>>>> Heiko >>>>>> >>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>> >>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>> shock bug >>>>>>> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>> Andrzej, Heiko, anyone? >>>>>>> >>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>> 1.6.5-2014-04-09, >>>>>>> Linux 3.2.56) >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> >>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>>> DSS Reports >>>>>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>>>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> ------------------------------------------------------------------------------ >>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >> >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
