Menu
▾
▴
Re: [Devil-Linux-discuss] Shell shock bash fix
|
From: hz <he...@zu...> - 2014-10-03 13:01:21
|
I'm uploading the latest build into the testing folder, should be done in a couple of hours. Let me know how it looks. Any suggestions on how long we should wait to see if another bash patch comes out, before I officially release 1.6.6? Heiko -----Original Message----- From: Heiko Zuerker [mailto:he...@zu...] Sent: Thursday, October 02, 2014 3:44 PM To: dev...@li... Subject: Re: [Devil-Linux-discuss] Shell shock bash fix The latest patch is in CVS now. I'm booting my firewall from a USB stick and have no issues with it. I think there's one piece that prevents us from unmounting the disk completely. If I remember correctly, it's part of the initrd script if you want to dig around. Heiko Quoting Dominic Raferd <do...@ti...>: >> It seems that they keep finding issues in bash right now, so we'll >> gotta keep an eye on that for a bit. > > You were not wrong! DL testing is still vulnerable to CVE-2014-7186 > and > CVE-2014-7187 - tests at > http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) > patches for bash 4.2 to fix this are at > http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. > > Off topic sorry, but since we are looking to a new release of DL: > > 1. I have had a problem for the last year or two that I cannot get any > of my USB drives to boot DL, instead I have to boot via CD/DVD (which > I admit has some security advantages). I have assumed this is > something to do with my motherboard/BIOS settings (though I have > tweaked these without success), but I wondered if anyone else has had > the same difficulties? I have tried with both Syslinux and Grub boot loaders. > > 2. If I boot from CD/DVD the CD/DVD drive remains physically locked > even if I have chosen to load and run the system from RAM - i.e. the > eject button on the drive does not work. Is this by design? It > certainly makes upgrading more of a faff, because I can only change > the disk after the machine reboots, and then the machine usually has > to be physically rebooted again to get the new disk to boot. > > Dominic > > On 30/09/2014 19:35, Dominic Raferd wrote: >> Seems good. Many thanks. >> >> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >> :;}; echo vulnerable' bash -c "echo test" >> test >> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >> "echo date"; cat /tmp/echo date >> cat: /tmp/echo: No such file or directory >> >> On 30/09/2014 16:14, Heiko Zuerker wrote: >>> The compile finished successfully last night and I'm uploading into >>> the testing folder right now. >>> It'll take a couple hours for it to complete. >>> >>> Please test and let me know if you confirm that the bug is resolved. >>> It seems that they keep finding issues in bash right now, so we'll >>> gotta keep an eye on that for a bit. >>> >>> Heiko >>> >>> Quoting Heiko Zuerker <he...@zu...>: >>> >>>> The latest patches are in CVS, we'll see how the compile tonight goes. >>>> >>>> Regards >>>> Heiko Zuerker >>>> >>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>> <do...@ti...> wrote: >>>>> >>>>> Hope you had a good break Heiko! >>>>> >>>>> For DL, I haven't seen or heard of a patch, and >>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>> least in the meantime bash source has been better patched by those >>>>> good redhat people >>>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115 /... >>>>> >>>>> Dominic >>>>> >>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>> I just came back from vacation. I assume nobody worked on the patch yet? >>>>>> >>>>>> Heiko >>>>>> >>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>> >>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>> shock bug asap >>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>> Andrzej, Heiko, anyone? >>>>>>> >>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>> >>>>>>> >>>>>>> ---------------------------------------------------------------- >>>>>>> -------------- >>>>>>> >>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>> EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>> /ostg.clktrk >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> >>>>> ------------------------------------------------------------------ >>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>> stg.clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> ------------------------------------------------------------------- >>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>> with EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>> tg.clktrk _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >> >> --------------------------------------------------------------------- >> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >> EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >> .clktrk _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > ---------------------------------------------------------------------- > -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog > Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI > DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download > White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with > EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. > clktrk _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker ---------------------------------------------------------------------------- -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Devil-linux-discuss mailing list Dev...@li... https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
