LUG: We are all patching, right?

Martin Heck mheck at mines.edu
Sat Sep 27 13:03:26 MDT 2014


And to be a little more aware of things… this is particularly bad with systems that either use bash as /bin/sh and/or use bash shell scripts to do or configure things from the outside world -- Apache with legacy CGI-BIN shell stuff, DCHP clients that run Bash scripts on ifup/ifdown and are passed things from the DHCP server [like, an IP address ;) ]… this does mean that that webserver you thought wasn’t doing anything may now be able to wreck antying www-data (debian-esque) owns. Thankfully, the Debian/Ubuntu dhclient uses /bin/sh, which on those distros is defaulted to “dash”, *not* “bash”. If you’ve got a custom crafted shell for SSH (say, if you’re running something so “operators” can run backups), that’s the big risk with SSH at this point. (note this is my side-reading of things while I’m out sick, so take ti with a grain of salt, and don’t hesitate to send email to security at mines.edu <mailto:security at mines.edu>  to pester the actual security folk :) ).

 

Martin

 

 

From: lug-bounces at mailman.mines.edu [mailto:lug-bounces at mailman.mines.edu] On Behalf Of Ezekiel T. Chopper
Sent: Friday, September 26, 2014 8:04 PM
To: lug at mailman.mines.edu
Cc: Keith Hellman
Subject: Re: LUG: We are all patching, right?

 

For Debian you can follow https://www.debian.org/security/ for security updates. Currently there isn't a full patch. There is an initial patch that fixed the surface level bug, but introduced bugs of its own.

 

Here ( https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ ) is a blog post from the RedHat security people that they will keep updated for news on distros of that variety.

 

Apple has made a statement that OS X users aren't vulnerable unless they are using "advanced UNIX services" and that a patch for those "advanced" users is in the works, but you should probably download the bash source patch it yourself in Xcode and run your patched version. (They're kind of busy patching iOS 8) info: http://www.imore.com/apple-working-quickly-protect-os-x-against-shellshock-exploit

 

-- 

Ezekiel Chopper

Undergraduate Computer Science student

Infrastructure Intern at Health Language, Inc.

System Administrator for CARDI, Toilers, and SmartGeo

 

On Thu, Sep 25, 2014 at 5:07 PM, Kyle Thompson Kluherz <kkluherz at mymail.mines.edu <mailto:kkluherz at mymail.mines.edu> > wrote:

I haven't found a patch for Mint yet, anyone know if there might be one? I'm running the Debian-based edition.

-Tk

 

On Thu, Sep 25, 2014 at 4:58 PM, Keith Hellman <khellman at mcprogramming.com <mailto:khellman at mcprogramming.com> > wrote:

http://apple.slashdot.org/story/14/09/25/1757208/flurry-of-scans-hint-that-bash-vulnerability-could-already-be-in-the-wild
--
Keith Hellman                             #include <disclaimer.h>
khellman at mcprogramming.com <mailto:khellman at mcprogramming.com>                 from disclaimer import standard
khellman at mines.edu <mailto:khellman at mines.edu> 
                                   -*-
                    public key @ pgp.mit.edu <http://pgp.mit.edu>  9FCF40FD
        Y!M: mcprogramming                       AIM/ICQ: 485403897
        jabber: mrtuple at jabber.org <mailto:mrtuple at jabber.org>      irc: freenode.net <http://freenode.net>  as mrtuple
                                   -*-

"Windows is about choice - you can mix and match software and music player
stuff. We believe you should have the same choice when it comes to music
services."

-- David Fester, General Manager of Microsoft's Windows Digital Media Division
   http://apple.slashdot.org/apple/04/01/13/0158224.shtml?tid=109 <http://apple.slashdot.org/apple/04/01/13/0158224.shtml?tid=109&tid=187> &tid=187

_______________________________________________
lug mailing list
lug at mailman.mines.edu <mailto:lug at mailman.mines.edu> 
https://mailman.mines.edu/mailman/listinfo/lug

 


_______________________________________________
lug mailing list
lug at mailman.mines.edu <mailto:lug at mailman.mines.edu> 
https://mailman.mines.edu/mailman/listinfo/lug





 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.mines.edu/mailman/private/lug/attachments/20140927/ad0f4d34/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6304 bytes
Desc: not available
URL: <https://mailman.mines.edu/mailman/private/lug/attachments/20140927/ad0f4d34/attachment-0001.p7s>


More information about the lug mailing list