Menu
▾
▴
Re: [Devil-Linux-discuss] Shell shock bash fix
|
From: Dominic R. <do...@ti...> - 2014-10-05 06:01:46
|
1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 and CVE-2014-7187, sorry. Dominic On 04/10/2014 14:03, hz wrote: > Another patch was released. It's in CVS already. > > Best Regards > Heiko Zuerker > > -----Original Message----- > From: hz [mailto:he...@zu...] > Sent: Friday, October 03, 2014 8:01 AM > To: dev...@li... > Subject: Re: [Devil-Linux-discuss] Shell shock bash fix > > I'm uploading the latest build into the testing folder, should be done in a > couple of hours. > Let me know how it looks. > > Any suggestions on how long we should wait to see if another bash patch > comes out, before I officially release 1.6.6? > > Heiko > > -----Original Message----- > From: Heiko Zuerker [mailto:he...@zu...] > Sent: Thursday, October 02, 2014 3:44 PM > To: dev...@li... > Subject: Re: [Devil-Linux-discuss] Shell shock bash fix > > The latest patch is in CVS now. > I'm booting my firewall from a USB stick and have no issues with it. > > I think there's one piece that prevents us from unmounting the disk > completely. If I remember correctly, it's part of the initrd script if you > want to dig around. > > Heiko > > Quoting Dominic Raferd <do...@ti...>: > >>> It seems that they keep finding issues in bash right now, so we'll >>> gotta keep an eye on that for a bit. >> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >> and >> CVE-2014-7187 - tests at >> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >> patches for bash 4.2 to fix this are at >> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >> >> Off topic sorry, but since we are looking to a new release of DL: >> >> 1. I have had a problem for the last year or two that I cannot get any >> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >> I admit has some security advantages). I have assumed this is >> something to do with my motherboard/BIOS settings (though I have >> tweaked these without success), but I wondered if anyone else has had >> the same difficulties? I have tried with both Syslinux and Grub boot > loaders. >> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >> even if I have chosen to load and run the system from RAM - i.e. the >> eject button on the drive does not work. Is this by design? It >> certainly makes upgrading more of a faff, because I can only change >> the disk after the machine reboots, and then the machine usually has >> to be physically rebooted again to get the new disk to boot. >> >> Dominic >> >> On 30/09/2014 19:35, Dominic Raferd wrote: >>> Seems good. Many thanks. >>> >>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>> :;}; echo vulnerable' bash -c "echo test" >>> test >>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>> "echo date"; cat /tmp/echo date >>> cat: /tmp/echo: No such file or directory >>> >>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>> The compile finished successfully last night and I'm uploading into >>>> the testing folder right now. >>>> It'll take a couple hours for it to complete. >>>> >>>> Please test and let me know if you confirm that the bug is resolved. >>>> It seems that they keep finding issues in bash right now, so we'll >>>> gotta keep an eye on that for a bit. >>>> >>>> Heiko >>>> >>>> Quoting Heiko Zuerker <he...@zu...>: >>>> >>>>> The latest patches are in CVS, we'll see how the compile tonight goes. >>>>> >>>>> Regards >>>>> Heiko Zuerker >>>>> >>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>> <do...@ti...> wrote: >>>>>> >>>>>> Hope you had a good break Heiko! >>>>>> >>>>>> For DL, I haven't seen or heard of a patch, and >>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>> least in the meantime bash source has been better patched by those >>>>>> good redhat people >>>>>> > http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115 > /... >>>>>> Dominic >>>>>> >>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>> patch > yet? >>>>>>> Heiko >>>>>>> >>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>> >>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>> shock bug asap >>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>> Andrzej, Heiko, anyone? >>>>>>>> >>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>> >>>>>>>> >>>>>>>> ---------------------------------------------------------------- >>>>>>>> -------------- >>>>>>>> >>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>> EventLog Analyzer >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>> /ostg.clktrk >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Devil-linux-discuss mailing list >>>>>>>> Dev...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> ------------------------------------------------------------------ >>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>> stg.clktrk _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> ------------------------------------------------------------------- >>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>> with EventLog Analyzer >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>> tg.clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> --------------------------------------------------------------------- >>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>> EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>> .clktrk _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> ---------------------------------------------------------------------- >> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >> EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >> clktrk _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > |
