Menu
▾
▴
Re: [Devil-Linux-discuss] Shell shock bash fix
|
From: Dominic R. <do...@ti...> - 2014-10-07 11:34:28
|
The new version passes both those bash shellshock tests, thanks Heiko. I have solved my boot-from-USB issue. I have worked around the locked CD/DVD drive issue by adding this to /etc/init.d/boot.local: # if running from ram or not booting from CD/DVD, and CD/DVD drive is locked, unlock it [ -f /shm/dl_run_from_ram -o -z "$(grep -E "^/dev/(cdrom|sr)" /shm/DL_DEVICE)" ] && [ "$(cat /proc/sys/dev/cdrom/lock 2>/dev/null)" = "1" ] && echo 0 >/proc/sys/dev/cdrom/lock Sadly udev doesn't detect disks being inserted or removed, maybe this is because DL lacks 'udisks', so after a physical load I have to execute CLI mount, and similarly umount is required to eject a disk (the eject button doesn't work if the disk is mounted). (DL also lacks the 'eject' command BTW.) Dominic On 06/10/2014 14:14, Heiko Zuerker wrote: > I'm uploading the latest and greatest build right now. > It includes the latest bash patches and a couple of other software updates. > The upload should be finished in latest in 2-3 hours from the time I > sent this email. > > Let me know how the testing goes. > > Heiko > > Quoting Dominic Raferd <do...@ti...>: > >> 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 >> and CVE-2014-7187, sorry. >> >> Dominic >> >> On 04/10/2014 14:03, hz wrote: >>> Another patch was released. It's in CVS already. >>> >>> Best Regards >>> Heiko Zuerker >>> >>> -----Original Message----- >>> From: hz [mailto:he...@zu...] >>> Sent: Friday, October 03, 2014 8:01 AM >>> To: dev...@li... >>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>> >>> I'm uploading the latest build into the testing folder, should be done >> in a >>> couple of hours. >>> Let me know how it looks. >>> >>> Any suggestions on how long we should wait to see if another bash patch >>> comes out, before I officially release 1.6.6? >>> >>> Heiko >>> >>> -----Original Message----- >>> From: Heiko Zuerker [mailto:he...@zu...] >>> Sent: Thursday, October 02, 2014 3:44 PM >>> To: dev...@li... >>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>> >>> The latest patch is in CVS now. >>> I'm booting my firewall from a USB stick and have no issues with it. >>> >>> I think there's one piece that prevents us from unmounting the disk >>> completely. If I remember correctly, it's part of the initrd script if >> you >>> want to dig around. >>> >>> Heiko >>> >>> Quoting Dominic Raferd <do...@ti...>: >>> >>>>> It seems that they keep finding issues in bash right now, so we'll >>>>> gotta keep an eye on that for a bit. >>>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>>> and >>>> CVE-2014-7187 - tests at >>>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>>> patches for bash 4.2 to fix this are at >>>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>>> >>>> Off topic sorry, but since we are looking to a new release of DL: >>>> >>>> 1. I have had a problem for the last year or two that I cannot get any >>>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>>> I admit has some security advantages). I have assumed this is >>>> something to do with my motherboard/BIOS settings (though I have >>>> tweaked these without success), but I wondered if anyone else has had >>>> the same difficulties? I have tried with both Syslinux and Grub boot >>> loaders. >>>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>>> even if I have chosen to load and run the system from RAM - i.e. the >>>> eject button on the drive does not work. Is this by design? It >>>> certainly makes upgrading more of a faff, because I can only change >>>> the disk after the machine reboots, and then the machine usually has >>>> to be physically rebooted again to get the new disk to boot. >>>> >>>> Dominic >>>> >>>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>>> Seems good. Many thanks. >>>>> >>>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>>> :;}; echo vulnerable' bash -c "echo test" >>>>> test >>>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>>> "echo date"; cat /tmp/echo date >>>>> cat: /tmp/echo: No such file or directory >>>>> >>>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>>> The compile finished successfully last night and I'm uploading into >>>>>> the testing folder right now. >>>>>> It'll take a couple hours for it to complete. >>>>>> >>>>>> Please test and let me know if you confirm that the bug is resolved. >>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>> gotta keep an eye on that for a bit. >>>>>> >>>>>> Heiko >>>>>> >>>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>>> >>>>>>> The latest patches are in CVS, we'll see how the compile tonight >> goes. >>>>>>> Regards >>>>>>> Heiko Zuerker >>>>>>> >>>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>>> <do...@ti...> wrote: >>>>>>>> >>>>>>>> Hope you had a good break Heiko! >>>>>>>> >>>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>>> least in the meantime bash source has been better patched by those >>>>>>>> good redhat people >>>>>>>> >> http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 >> 15 >>> /... >>>>>>>> Dominic >>>>>>>> >>>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>>> patch >>> yet? >>>>>>>>> Heiko >>>>>>>>> >>>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>>> >>>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>>> shock bug asap >>>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>>> >>>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>> -------------- >>>>>>>>>> >>>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>>> EventLog Analyzer >>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>>> /ostg.clktrk >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>> Dev...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>> ------------------------------------------------------------------ >>>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>>> stg.clktrk _______________________________________________ >>>>>>>> Devil-linux-discuss mailing list >>>>>>>> Dev...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>> ------------------------------------------------------------------- >>>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>>> with EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>>> tg.clktrk _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> --------------------------------------------------------------------- >>>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>> EventLog Analyzer >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>>> .clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> ---------------------------------------------------------------------- >>>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>> EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>>> clktrk _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >> >> -------------------------------------------------------------------------- >> ---- >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt >> rk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > |
