Menu
▾
▴
Re: [Devil-Linux-discuss] Shell shock bash fix
|
From: Heiko Z. <he...@zu...> - 2014-10-06 13:14:36
|
I'm uploading the latest and greatest build right now. It includes the latest bash patches and a couple of other software updates. The upload should be finished in latest in 2-3 hours from the time I sent this email. Let me know how the testing goes. Heiko Quoting Dominic Raferd <do...@ti...>: > 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 > and CVE-2014-7187, sorry. > > Dominic > > On 04/10/2014 14:03, hz wrote: >> Another patch was released. It's in CVS already. >> >> Best Regards >> Heiko Zuerker >> >> -----Original Message----- >> From: hz [mailto:he...@zu...] >> Sent: Friday, October 03, 2014 8:01 AM >> To: dev...@li... >> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >> >> I'm uploading the latest build into the testing folder, should be done > in a >> couple of hours. >> Let me know how it looks. >> >> Any suggestions on how long we should wait to see if another bash patch >> comes out, before I officially release 1.6.6? >> >> Heiko >> >> -----Original Message----- >> From: Heiko Zuerker [mailto:he...@zu...] >> Sent: Thursday, October 02, 2014 3:44 PM >> To: dev...@li... >> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >> >> The latest patch is in CVS now. >> I'm booting my firewall from a USB stick and have no issues with it. >> >> I think there's one piece that prevents us from unmounting the disk >> completely. If I remember correctly, it's part of the initrd script if > you >> want to dig around. >> >> Heiko >> >> Quoting Dominic Raferd <do...@ti...>: >> >>>> It seems that they keep finding issues in bash right now, so we'll >>>> gotta keep an eye on that for a bit. >>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>> and >>> CVE-2014-7187 - tests at >>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>> patches for bash 4.2 to fix this are at >>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>> >>> Off topic sorry, but since we are looking to a new release of DL: >>> >>> 1. I have had a problem for the last year or two that I cannot get any >>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>> I admit has some security advantages). I have assumed this is >>> something to do with my motherboard/BIOS settings (though I have >>> tweaked these without success), but I wondered if anyone else has had >>> the same difficulties? I have tried with both Syslinux and Grub boot >> loaders. >>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>> even if I have chosen to load and run the system from RAM - i.e. the >>> eject button on the drive does not work. Is this by design? It >>> certainly makes upgrading more of a faff, because I can only change >>> the disk after the machine reboots, and then the machine usually has >>> to be physically rebooted again to get the new disk to boot. >>> >>> Dominic >>> >>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>> Seems good. Many thanks. >>>> >>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>> :;}; echo vulnerable' bash -c "echo test" >>>> test >>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>> "echo date"; cat /tmp/echo date >>>> cat: /tmp/echo: No such file or directory >>>> >>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>> The compile finished successfully last night and I'm uploading into >>>>> the testing folder right now. >>>>> It'll take a couple hours for it to complete. >>>>> >>>>> Please test and let me know if you confirm that the bug is resolved. >>>>> It seems that they keep finding issues in bash right now, so we'll >>>>> gotta keep an eye on that for a bit. >>>>> >>>>> Heiko >>>>> >>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>> >>>>>> The latest patches are in CVS, we'll see how the compile tonight > goes. >>>>>> >>>>>> Regards >>>>>> Heiko Zuerker >>>>>> >>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>> <do...@ti...> wrote: >>>>>>> >>>>>>> Hope you had a good break Heiko! >>>>>>> >>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>> least in the meantime bash source has been better patched by those >>>>>>> good redhat people >>>>>>> >> > http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 > 15 >> /... >>>>>>> Dominic >>>>>>> >>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>> patch >> yet? >>>>>>>> Heiko >>>>>>>> >>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>> >>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>> shock bug asap >>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>> >>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>> >>>>>>>>> >>>>>>>>> ---------------------------------------------------------------- >>>>>>>>> -------------- >>>>>>>>> >>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>> EventLog Analyzer >>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>> /ostg.clktrk >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>> Dev...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>> ------------------------------------------------------------------ >>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>> stg.clktrk _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> ------------------------------------------------------------------- >>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>> with EventLog Analyzer >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>> tg.clktrk _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> --------------------------------------------------------------------- >>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>> EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>> .clktrk _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >>> ---------------------------------------------------------------------- >>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>> EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>> clktrk _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> > > > -------------------------------------------------------------------------- > ---- > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt > rk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
