securitybreach Posted September 25, 2014 Share Posted September 25, 2014 This is rather serious and should be patched right away on your distro. If you are using Archlinux and updated today, you will of gotten the patched version of bash today Bash specially-crafted environment variables code injection attack Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, bash has evolved from a simple terminal based command interpreter to many other fancy uses. In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc) Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents. https://securityblog...jection-attack/ 2 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted September 25, 2014 Share Posted September 25, 2014 Slackware patch is on the servers. Update now. 1 Quote Link to comment Share on other sites More sharing options...
BarryB Posted September 25, 2014 Share Posted September 25, 2014 Same with Mageia..if your up to date as of yesterday your good to go. 1 Quote Link to comment Share on other sites More sharing options...
raymac46 Posted September 25, 2014 Share Posted September 25, 2014 My wife pointed this out to me today. I told her that it was already fixed in Linux at least. Got updates yesterday. 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted September 25, 2014 Author Share Posted September 25, 2014 Debian also has this updated as well as Raspbian (Debian for the Pi) Quote Link to comment Share on other sites More sharing options...
ebrke Posted September 25, 2014 Share Posted September 25, 2014 Here we go again: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted September 25, 2014 Share Posted September 25, 2014 Lot of possible FUD going around on the Internets about this today. The U.S. Cert alert --> https://www.us-cert.gov/ncas/alerts/TA14-268A The beginnings of the FUD --> http://www.reuters.com/article/2014/09/24/us-cybersecurity-bash-idUSKCN0HJ2FQ20140924?wpisrc=nl-swbd&wpmm=1 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted September 25, 2014 Share Posted September 25, 2014 Here comes the FUD --> more on this thread: http://forums.scotsnewsletter.com/index.php?showtopic=72323&hl= (maybe a mod should merge these two?) Quote Link to comment Share on other sites More sharing options...
ebrke Posted September 25, 2014 Share Posted September 25, 2014 Mod please delete this topic. Somehow I missed earlier topic. Sorry. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted September 25, 2014 Share Posted September 25, 2014 Doesn't need to be deleted, just merged with the other one. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted September 25, 2014 Share Posted September 25, 2014 2nd patch for Slackware on the servers. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted September 26, 2014 Share Posted September 26, 2014 All updated on my Raspbian. Debian says it's pushed out but I have been offered it when I do apt-get update and apt-get upgrade. Still shows zero packages needing updated. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted September 26, 2014 Share Posted September 26, 2014 All merged up. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted September 26, 2014 Share Posted September 26, 2014 Mod please delete this topic. Somehow I missed earlier topic. Sorry. Oh, goody! We got merged. Quote Link to comment Share on other sites More sharing options...
ichase Posted September 26, 2014 Share Posted September 26, 2014 Is zsh susceptable to this vulnerability? Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted September 26, 2014 Share Posted September 26, 2014 I wouldn't think so, Ian. It's a totally different shell. I'm thinking of switching to zsh for a while, actually. Quote Link to comment Share on other sites More sharing options...
sunrat Posted September 26, 2014 Share Posted September 26, 2014 Patched in Debian stable (twice). Here's the latest one - http://forums.scotsnewsletter.com/index.php?showtopic=22937&st=775#entry408682 I haven't had security notification for testing or unstable yet, but apt shows a new version 4.3-9.1 available from unstable. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted September 26, 2014 Share Posted September 26, 2014 I just received an alert for a third bash patch for Slackware. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted September 26, 2014 Share Posted September 26, 2014 Something you Linux folks need to understand also... there are two types of shells: the login shell the interactive shell The login shell is the shell used by the operating system when you first login. Even if you don't physically login at a command line, your desktop graphical user interface is logging you in automatically. This shell is almost always bash in most distributions. The interactive shell is the one you bring up in terminal or at the non-graphic command line as a user to manipulate directories, files, and implement commands which perform certain functions. Here's the important thing to know: when you change your user shell, usually by using this command: # chsh -s /bin/zsh <your username> you are ONLY changing the shell from bash to zsh for your non-root user on the system. This means that the operating system's login shell and the root shell are both still bash. Be aware of this. This is why it's important to update your bash shell software on your systems regardless of the shell you're using for your user. You can check to see what shell you are currently using by entering this command: $ echo $0 Alrighty, then. Off you go. Have fun! Oh, and I did play around a bit with zsh, but it's going to require some work to set it up and get my .zshrc file the way I want it. Something to tinker with during the long cold winter nights, I think. 2 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted September 26, 2014 Author Share Posted September 26, 2014 Is zsh susceptable to this vulnerability? Even if you do not use bash, it can still be a problem as a very large majority of applications have bash as a dependency so it is still installed. 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted September 26, 2014 Share Posted September 26, 2014 Debian main repositories still not offering bash update via apt-get today so far. Quote Link to comment Share on other sites More sharing options...
raymac46 Posted September 26, 2014 Share Posted September 26, 2014 Just got a bash update via Linux Mint update manager. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted September 26, 2014 Author Share Posted September 26, 2014 Free Software Foundation statement on the GNU Bash "shellshock" vulnerability Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted September 27, 2014 Share Posted September 27, 2014 1 Quote Link to comment Share on other sites More sharing options...
onederer Posted September 27, 2014 Share Posted September 27, 2014 http://www.vox.com/2014/9/25/6843949/the-bash-bug-explained Now that the Bash Bug is haunting our Linux/BSD world, what are you going to do?? Are you going to still keep on using BASH, and take your chances? I made a decision to start using ZSH until a solution has been found for the bash thing. Hopefully doing that, the bash bug will not come knocking at my door. What are your plans about this problem? Cheers! Quote Link to comment Share on other sites More sharing options...
tforsman Posted September 27, 2014 Share Posted September 27, 2014 Isn't the bash bug already solved? 1 Quote Link to comment Share on other sites More sharing options...
onederer Posted September 27, 2014 Share Posted September 27, 2014 The last thing that I read, is that they are still trying to figure it out, and what to do about it. They say that it's worse than the Heartbleed problem. AFAIK, no solution has been put out yet. The link above, will give you a headstart to bone up on the topic. Are you going to still keep on using BASH, or switch to another one, as long as this problem still exists? Even if they do find a cure, in the meantime, there are a lot of entities out there that still have to cope with this problem. Cheers! Quote Link to comment Share on other sites More sharing options...
muckshifter Posted September 27, 2014 Share Posted September 27, 2014 ... isn't it a 25 year old 'bug' or is the news a bit slack these days? 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted September 27, 2014 Share Posted September 27, 2014 http://www.engadget.com/2014/09/25/what-is-the-shellshock/ Quote Link to comment Share on other sites More sharing options...
securitybreach Posted September 27, 2014 Author Share Posted September 27, 2014 I absolutely love zsh and I have been using it for over a year but just because you switched shells doesnt mean that your immune to the bash issue. Since most applications depend on bash, whether you actually use it or not doesn't matter any as you still have it installed. BTW this issue has already been solved so unless you are not updating your server, then there is no reason to start worrying. 3 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.