Menu
▾
▴
Re: [Devil-Linux-discuss] Shell shock bash fix
|
From: Heiko Z. <he...@zu...> - 2014-10-08 12:39:58
|
Another bash patch came out. I added it to CVS. Heiko Quoting Dominic Raferd <do...@ti...>: > The new version passes both those bash shellshock tests, thanks Heiko. > > I have solved my boot-from-USB issue. I have worked around the locked > CD/DVD drive issue by adding this to /etc/init.d/boot.local: > > # if running from ram or not booting from CD/DVD, and CD/DVD drive is > locked, unlock it > [ -f /shm/dl_run_from_ram -o -z "$(grep -E "^/dev/(cdrom|sr)" > /shm/DL_DEVICE)" ] && [ "$(cat /proc/sys/dev/cdrom/lock 2>/dev/null)" = > "1" ] && echo 0 >/proc/sys/dev/cdrom/lock > > Sadly udev doesn't detect disks being inserted or removed, maybe this is > because DL lacks 'udisks', so after a physical load I have to execute > CLI mount, and similarly umount is required to eject a disk (the eject > button doesn't work if the disk is mounted). (DL also lacks the 'eject' > command BTW.) > > Dominic > > On 06/10/2014 14:14, Heiko Zuerker wrote: >> I'm uploading the latest and greatest build right now. >> It includes the latest bash patches and a couple of other software updates. >> The upload should be finished in latest in 2-3 hours from the time I >> sent this email. >> >> Let me know how the testing goes. >> >> Heiko >> >> Quoting Dominic Raferd <do...@ti...>: >> >>> 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 >>> and CVE-2014-7187, sorry. >>> >>> Dominic >>> >>> On 04/10/2014 14:03, hz wrote: >>>> Another patch was released. It's in CVS already. >>>> >>>> Best Regards >>>> Heiko Zuerker >>>> >>>> -----Original Message----- >>>> From: hz [mailto:he...@zu...] >>>> Sent: Friday, October 03, 2014 8:01 AM >>>> To: dev...@li... >>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>> >>>> I'm uploading the latest build into the testing folder, should be done >>> in a >>>> couple of hours. >>>> Let me know how it looks. >>>> >>>> Any suggestions on how long we should wait to see if another bash patch >>>> comes out, before I officially release 1.6.6? >>>> >>>> Heiko >>>> >>>> -----Original Message----- >>>> From: Heiko Zuerker [mailto:he...@zu...] >>>> Sent: Thursday, October 02, 2014 3:44 PM >>>> To: dev...@li... >>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>> >>>> The latest patch is in CVS now. >>>> I'm booting my firewall from a USB stick and have no issues with it. >>>> >>>> I think there's one piece that prevents us from unmounting the disk >>>> completely. If I remember correctly, it's part of the initrd script if >>> you >>>> want to dig around. >>>> >>>> Heiko >>>> >>>> Quoting Dominic Raferd <do...@ti...>: >>>> >>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>> gotta keep an eye on that for a bit. >>>>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>>>> and >>>>> CVE-2014-7187 - tests at >>>>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>>>> patches for bash 4.2 to fix this are at >>>>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>>>> >>>>> Off topic sorry, but since we are looking to a new release of DL: >>>>> >>>>> 1. I have had a problem for the last year or two that I cannot get any >>>>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>>>> I admit has some security advantages). I have assumed this is >>>>> something to do with my motherboard/BIOS settings (though I have >>>>> tweaked these without success), but I wondered if anyone else has had >>>>> the same difficulties? I have tried with both Syslinux and Grub boot >>>> loaders. >>>>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>>>> even if I have chosen to load and run the system from RAM - i.e. the >>>>> eject button on the drive does not work. Is this by design? It >>>>> certainly makes upgrading more of a faff, because I can only change >>>>> the disk after the machine reboots, and then the machine usually has >>>>> to be physically rebooted again to get the new disk to boot. >>>>> >>>>> Dominic >>>>> >>>>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>>>> Seems good. Many thanks. >>>>>> >>>>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>>>> :;}; echo vulnerable' bash -c "echo test" >>>>>> test >>>>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>>>> "echo date"; cat /tmp/echo date >>>>>> cat: /tmp/echo: No such file or directory >>>>>> >>>>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>>>> The compile finished successfully last night and I'm uploading into >>>>>>> the testing folder right now. >>>>>>> It'll take a couple hours for it to complete. >>>>>>> >>>>>>> Please test and let me know if you confirm that the bug is resolved. >>>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>>> gotta keep an eye on that for a bit. >>>>>>> >>>>>>> Heiko >>>>>>> >>>>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>>>> >>>>>>>> The latest patches are in CVS, we'll see how the compile tonight >>> goes. >>>>>>>> Regards >>>>>>>> Heiko Zuerker >>>>>>>> >>>>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>>>> <do...@ti...> wrote: >>>>>>>>> >>>>>>>>> Hope you had a good break Heiko! >>>>>>>>> >>>>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>>>> least in the meantime bash source has been better patched by those >>>>>>>>> good redhat people >>>>>>>>> >>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 >>> 15 >>>> /... >>>>>>>>> Dominic >>>>>>>>> >>>>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>>>> patch >>>> yet? >>>>>>>>>> Heiko >>>>>>>>>> >>>>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>>>> >>>>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>>>> shock bug asap >>>>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>>>> >>>>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>>> -------------- >>>>>>>>>>> >>>>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>>>> EventLog Analyzer >>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>>>> /ostg.clktrk >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>>> Dev...@li... >>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>>> ------------------------------------------------------------------ >>>>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>>>> stg.clktrk _______________________________________________ >>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>> Dev...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>> ------------------------------------------------------------------- >>>>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>>>> with EventLog Analyzer >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>>>> tg.clktrk _______________________________________________ >>>>>>>> Devil-linux-discuss mailing list >>>>>>>> Dev...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> --------------------------------------------------------------------- >>>>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>> EventLog Analyzer >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>>>> .clktrk _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> ---------------------------------------------------------------------- >>>>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>> EventLog Analyzer >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>>>> clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> >>> >>> -------------------------------------------------------------------------- >>> ---- >>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt >>> rk >>> _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
