Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 18 Dec 2018, 19:48
All times are UTC - 4
 Forum index » Off-Topic Area » Security
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
Post new topic   Reply to topic View previous topic :: View next topic
Page 3 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, 4, 5, ..., 11, 12, 13 Next
Author Message
James C


Joined: 26 Mar 2009
Posts: 6728
Location: Kentucky

PostPosted: Thu 25 Sep 2014, 18:21    Post subject:  

https://www.us-cert.gov/ncas/alerts/TA14-268A

Quote:
Alert (TA14-268A)
GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169)



Quote:
Systems Affected
GNU Bash through 4.3.
Linux, BSD, and UNIX distributions including but not limited to:
CentOS 5 through 7
Debian
Mac OS X
Red Hat Enterprise Linux 4 through 7
Ubuntu (link is external) 10.04 LTS, 12.04 LTS, and 14.04 LTS
Overview
A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1] (link is external). The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.
Back to top
View user's profile Send private message 
boof

Joined: 26 Sep 2012
Posts: 458

PostPosted: Thu 25 Sep 2014, 20:48    Post subject:  

I have bash 4.4.1-can I conclude all ok?
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6728
Location: Kentucky

PostPosted: Thu 25 Sep 2014, 20:53    Post subject: Free Software Foundation statement on the GNU Bash "shellsho  

Free Software Foundation statement on the GNU Bash "shellshock" vulnerability

https://fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability

Quote:
A major security vulnerability has been discovered in the free software shell GNU Bash. The most serious issues have already been fixed, and a complete fix is well underway. GNU/Linux distributions are working quickly to release updated packages for their users. All Bash users should upgrade immediately, and audit the list of remote network services running on their systems.
Bash is the GNU Project's shell; it is part of the suite of software that makes up the GNU operating system. The GNU programs plus the kernel Linux form a commonly used complete free software operating system, called GNU/Linux. The bug, which is being referred to as "shellshock," can allow, in some circumstances, attackers to remotely access and control systems using Bash (and programs that call Bash) as an attack vector, regardless of what kernel they are running. The bug probably affects many GNU/Linux users, along with those using Bash on proprietary operating systems like Apple's OS X and Microsoft Windows. Additional technical details about the issue can be found at CVE-2014-6271 and CVE-2014-7169.

GNU Bash has been widely adopted because it is a free (as in freedom), reliable, and featureful shell. This popularity means the serious bug that was published yesterday is just as widespread. Fortunately, GNU Bash's license, the GNU General Public License version 3, has facilitated a rapid response. It allowed Red Hat to develop and share patches in conjunction with Bash upstream developers efforts to fix the bug, which anyone can download and apply themselves. Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.

Software freedom is a precondition for secure computing; it guarantees everyone the ability to examine the code to detect vulnerabilities, and to create new and safe versions if a vulnerability is discovered. Your software freedom does not guarantee bug-free code, and neither does proprietary software: bugs happen no matter how the software is licensed. But when a bug is discovered in free software, everyone has the permission, rights, and source code to expose and fix the problem. That fix can then be immediately freely distributed to everyone who needs it. Thus, these freedoms are crucial for ethical, secure computing.
Back to top
View user's profile Send private message 
Bushbuck

Joined: 25 Jan 2013
Posts: 180

PostPosted: Thu 25 Sep 2014, 21:34    Post subject:  

[Edit 26/09 to remove questions]
Installing bash 4.2.048 update from the patches repo worked when I tried again today; thanks all for the helpful thread.

Last edited by Bushbuck on Fri 26 Sep 2014, 18:15; edited 1 time in total
Back to top
View user's profile Send private message 
gcmartin

Joined: 14 Oct 2005
Posts: 6730
Location: Earth

PostPosted: Thu 25 Sep 2014, 22:59    Post subject: is DASH one answer to this vulnerability?  

On a comment from a forum member, DASH may not have this vulnerability. Wondering about its compatibility.
  • Can DASH replace BASH by removing BASH and setting a link to DASH along with PATH changes?
  • Is that reasonable or inviting problems?
One other note:
This problem may also exist in embedded systems which use BASH....like your routers, etc. It could explain how some system/networks were breached assuming there are hackers who knew of this area of exposure.

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engines or use DogPile
Back to top
View user's profile Send private message 
OscarTalks


Joined: 05 Feb 2012
Posts: 1826
Location: London, England

PostPosted: Fri 26 Sep 2014, 03:53    Post subject:  

mavrothal wrote:
In any case there are updates available for all major distros so ubuntu, debian and slackware-based puppies are covered.

For T2 puppies (2.x, 4.x, wary, racy) the source code should be patched and recompiled to a new pet.

I took a look at Racy 5.5 and it has bash-3.0.16
I downloaded the source code of the same version and the corresponding version of the patch. I am not very experienced in applying patches to source code with patch but I think I figured it out. There does seem to be one path amendment that I had to make in the patch file but I am not sure about that. Anyway it all seemed to work and the version number updates to bash-3.0.17 and it passes the vulnerability test.

_________________
Oscar in England

Back to top
View user's profile Send private message 
mavrothal


Joined: 24 Aug 2009
Posts: 2990

PostPosted: Fri 26 Sep 2014, 03:57    Post subject: bash 3.0.17 for wary/racy  

For those with wary/racy here is bash 3.0.20 compiled from BK's source and the gnu patches bash30-017, bash30-018, bash30-019and bash30-020, in Racy 5.5 with
Code:
./configure --prefix=/usr --bindir=/bin --build=i486-pc-linux-gnu --with-curses  ac_cv_func_working_mktime=yes

_________________
== Here is how to solve your Linux problems fast ==

Last edited by mavrothal on Thu 02 Oct 2014, 01:59; edited 4 times in total
Back to top
View user's profile Send private message 
michaellowe


Joined: 17 Dec 2011
Posts: 69
Location: The Garden

PostPosted: Fri 26 Sep 2014, 04:01    Post subject: bash/ shell shock patch for puppy precise 5.7.1?  

hi everyone just heard about this on BBC radio 2 funnily enough. inm very concerned as I don't and never have known much about how to set up my firewall correctly. when I have a bit more time this evening I will post a fully detailed report with screen shots if necessary about how my machine is configured, correct kernel version etc. in the mean time is there anything immediate I can do to help fix or at least decrease my vulnerability to attack, on the radio they mentioned setting router to disable remote login or remote access. I have dynamic DNS anyway so have never used remote access. however have not actually checked to see whether it's enabled or not, would it be recommended to disable this setting, or any other pointers would be massively appreciated. can't afford a new machine, hence using precise on an old P4. Wink
_________________
Smash forehead on keyboard to continue.....
well thats at least how some of us deal with ba$h !
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1736

PostPosted: Fri 26 Sep 2014, 04:38    Post subject:  

The whole idea of returning values in shell scripts by altering environment variables resembles the known bad practice of using global variables all over the place in ordinary programs.

I'm also wondering why programs which might interpret commands from sources on the Internet are launched by shells which have full scripting capabilities in the first place. A weaker shell like ash should be sufficient. This is what I would expect to find in embedded devices like routers.

Instead of waiting for patches to bash itself to be tested, why not simply alter the scripts which call these programs to call a known-good shell which does not allow such exploits in order to have it call the few programs which access the internet directly.? This could also save you from further exploits made possible by means not yet found. Using the full flexibility of bash simply to call untrusted programs was overkill to begin with.
Back to top
View user's profile Send private message 
mavrothal


Joined: 24 Aug 2009
Posts: 2990

PostPosted: Fri 26 Sep 2014, 04:55    Post subject:  

prehistoric wrote:
Instead of waiting for patches to bash itself to be tested, why not simply alter the scripts which call these programs to call a known-good shell which does not allow such exploits in order to have it call the few programs which access the internet directly.?

Bash was a good shell 2 days ago and is today after patching.
There is no way BTW to know that current "good shells" will remain good.

_________________
== Here is how to solve your Linux problems fast ==
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1696
Location: Italy

PostPosted: Fri 26 Sep 2014, 05:04    Post subject:  

dejan555 wrote:
Updated for dpup487 here

This might work on other pups, not sure with which ones it would be compatible though, you could test with pfix=ram


It seems good for puppy 4.3.2, slacko 5.3.3, lucid and even wary-racy.
Back to top
View user's profile Send private message 
Terryphi


Joined: 02 Jul 2008
Posts: 768
Location: West Wales, Britain.

PostPosted: Fri 26 Sep 2014, 06:02    Post subject: Re: bash 3.0.17 for wary/racy  

mavrothal wrote:
For those with wary/racy here is bash 3.0.17 compiled from BK's source and the gnu patch, in Racy 5.5


Thanks mavrothal. Works for me without any problems. Great to see Racy/Wary being supported with security patches. Smile

_________________
Classic Opera 12.16 browser SFS package for Precise, Slacko, Racy, Wary, Lucid, etc available here Smile
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6728
Location: Kentucky

PostPosted: Fri 26 Sep 2014, 08:34    Post subject: Concern over Bash vulnerability grows as exploit reported “i  

Concern over Bash vulnerability grows as exploit reported “in the wild” [Updated]



http://arstechnica.com/security/2014/09/concern-over-bash-vulnerability-grows-as-exploit-reported-in-the-wild/

Quote:
The vulnerability reported in the GNU Bourne Again Shell (Bash) yesterday, dubbed "Shellshock," may already have been exploited in the wild to take over Web servers as part of a botnet. More security experts are now weighing in on the severity of the bug, expressing fears that it could be used for an Internet "worm" to exploit large numbers of public Web servers. And the initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry. A second vulnerability in Bash allows for an attacker to overwrite files on the targeted system.


Quote:
In a blog post yesterday, Robert Graham of Errata Security noted that someone is already using a massive Internet scan to locate vulnerable servers for attack. In a brief scan, he found over 3,000 servers that were vulnerable "just on port 80"—the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests. And his scan broke after a short period, meaning that there could be vast numbers of other servers vulnerable. A Google search by Ars using advanced search parameters yielded over two billion webpages that at least partially fit the profile for the Shellshock exploit.

"It's things like CGI scripts that are vulnerable, deep within a website (like CPanel's /cgi-sys/defaultwebpage.cgi)," Graham wrote. CPanel is a Web server control panel system used by many Web hosting providers. "Getting just the root page is the thing least likely to be vulnerable. Spidering the site and testing well-known CGI scripts (like the CPanel one) would give a lot more results—at least 10x."
In addition, Graham said, "this thing is clearly wormable and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable—once the worm gets behind a firewall and runs a hostile DHCP server, that would be 'game over' for large networks."


Quote:
Update: A number of security companies are now reporting attacks based on Shellshock that are ongoing. "We’re seeing attackers target the Shellshock vulnerability almost immediately (within 4.5 hours) of it being publicly announced," said Waylon Grange, senior malware researcher at Blue Coat. "Any organizations or users with unpatched Linux servers are vulnerable to hackers running unauthorized code, so it’s very important that organizations download and apply the patch immediately. Blue Coat is already seeing DDOS botnets trying to utilize this vulnerability in their attacks and we expect that traffic to only continue to increase.”
Back to top
View user's profile Send private message 
mavrothal


Joined: 24 Aug 2009
Posts: 2990

PostPosted: Fri 26 Sep 2014, 09:22    Post subject:  

For a more puppy-relevant view
Code:
With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.


In simple terms, unless you are running a server or allow any kind of remore-login to your puppy, you are safe even without updating your bash. Surprised
If you are running servers and you are not updating your machine regularly and be on top of it in general, you are destine for trouble, bash or not bash. Wink

But even if you have some small personal server running, what are the odds of being targeted among the millions of IP addresses?.
To put things in prospective the probability to be in a car accident next year, is 1/~10000! But you are still out in the streets without freaking out (I hope...)
So looks like a lot of hype and FUD that will fizz in a couple more days.

In my mind the only relevant puppy question is:
is the forum (and other puppy-related) server(s) patched? Confused

_________________
== Here is how to solve your Linux problems fast ==
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6728
Location: Kentucky

PostPosted: Fri 26 Sep 2014, 09:37    Post subject:  

I was assuming Puppy users would notice phrases like:

Quote:
....expressing fears that it could be used for an Internet "worm" to exploit large numbers of public Web servers......


Quote:
.....Any organizations or users with unpatched Linux servers are vulnerable to hackers running unauthorized code....
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 3 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, 4, 5, ..., 11, 12, 13 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0708s ][ Queries: 13 (0.0069s) ][ GZIP on ]