Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 11 Dec 2019, 14:04
All times are UTC - 4
 Forum index » Off-Topic Area » Security
"Shell Shock" Cure for all pre-October 2014 Pups
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 3 [35 Posts]   Goto page: 1, 2, 3 Next
Author Message
mikeslr


Joined: 16 Jun 2008
Posts: 3544
Location: 500 seconds from Sol

PostPosted: Fri 26 Sep 2014, 21:04    Post subject:  "Shell Shock" Cure for all pre-October 2014 Pups
Subject description: Warning about using Wine
 

September 27, 2014 edited

Edit: October 7, 2014: As far as I can tell, there are now for all Pups pets available which plug the Shell Shock bug; Get them here: http://murga-linux.com/puppy/viewtopic.php?p=801075#801075

Hi All,

If your Puppy was published (made available) before September 26, 2014, it is vulnerable to the "Shell Shock" Bug. This is NOT just a Puppy vulnerability. All operating systems are compromised That bug potentially can enable an intruder to gain access to all your data, and take total control of your computer. Unless your router was also manufactured after that date, its firewall may also be compromised by the Shell Shock Bug.
For the full story, and to apply an easy cure for the bug, read thru the short thread starting here: http://murga-linux.com/puppy/viewtopic.php?p=800578#800578.

Short synopsis and comments:

Bash is one of software's building blocks. It is used in almost everything: your router, your operating system -- whether you're running Windows. Mac or Linux-- probably your android appliances and i-Stuff. The vulnerability has been around for about 25 years: it seems someone left a back door "for testing purposes" open. About three days ago, the discovery of that vulnerability was announced. The Linux world has quickly responded. Red Hat was the first to devise a solution, and being open source, announced it. Thank you Red Hat. Patches now exist, I believe, for all versions of Puppy, based on the work done by Ubuntu, Slackware, and in a couple of instances relating to T2 Built Pups our own Devs, Geoffrey, dejan555, and anikin. Thanks, Guys.

The patches are not a complete solution to the bug. So keep your eyes open for that.

Since your router may be compromised, be sure to turn on the firewall of your operating system.
Windows has yet to respond. And whether it will respond with a "bug-fix" for XP, or any version prior to Windows 7 is questionable. Also questionable is whether any such fix will work under Wine. See, http://wiki.winehq.org/SecuringWine. Wine has shrugged off any real concern for security because most Linux distros do not let you automatically run applications as "root" --think Administrator in the Windows' world. Puppy does. So until matters are clarified, I recommend being cautious about running windows programs under wine. Several years ago, wine was almost an essential component of any Linux OS, because Linux applications were not as far advanced as those available under XP. That is not the case today. Unless you're running specialized business programs, there is only one or two areas I know of in which you won't find some application as good as, and often better than, windows programs purchased by consumers. Taxes. As yet, there is only one LInux software to prepare your US or State taxes. [See, http://opentaxsolver.sourceforge.net/, which I haven't tried]. TurboTax, TaxAct and H&R Block's installable versions won't run under Wine, anyway, and its seems that changes last year preclude the use of online versions.
I don't play games, so perhaps there are games which will run under wine whose equivalents can't be found under Linux. But if you must use Wine, might I suggest that you setup a separate Puppy just for those things you can't live without. I doubt it will use up more than a couple of Gbs of your hard-drive, even with shinobar's "uncompressed" wine-portable. Or install that Pup to a USB-Key.

mikesLR

Last edited by mikeslr on Tue 07 Oct 2014, 20:40; edited 1 time in total
Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 11281

PostPosted: Mon 29 Sep 2014, 04:17    Post subject:  

Bash used on windows?
It was mentioned this was a bug that affects servers.
The test for it seemed a little obtuse...how exactly does that make anything vulnerable in itself with regard to a PC user on the internet?
confused
mike
Back to top
View user's profile Send private message 
Ray MK


Joined: 05 Feb 2008
Posts: 776
Location: UK

PostPosted: Mon 29 Sep 2014, 05:09    Post subject:  

Confused 2 -
does this mean that all the luvly puppies that have been made over the last 5,6,7 or so years are useless and should be sent to the knackers yard in the sky?
Please help me/us to understand - is this a back door?
Are we safe?

Could we make a new “shell shock” proof Puppy that could be used with confidence?

Many thanks and best regards to all - Ray.

_________________
Asus 701SD. 2gig ram. 8gb SSD. IBM A21m laptop. 192mb ram. PIII Coppermine proc. X60 T2400 1.8Ghz proc. 2gig ram. 80gb hdd. T41 Pentium M 1400Mhz. 512mb ram.
Back to top
View user's profile Send private message 
Geoffrey


Joined: 30 May 2010
Posts: 2377
Location: Queensland

PostPosted: Mon 29 Sep 2014, 06:01    Post subject:  

If your a billion dollar company running a web server on your free puppy linux distro, then it would be wise to update bash.

https://www.youtube.com/watch?v=ArEOVHQu9nk

Else it's not that important, but if it can be fixed why not fix it Wink

_________________
Carolina: Recent Repository Additions

Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 11281

PostPosted: Mon 29 Sep 2014, 07:16    Post subject:  

Sorry...I just have this annoying habit of trying to keep things in proportion.

An update to slip in of course...stuff that goes on all the time.

I thought those places were for horses...where do unwanted, unsafe worn out pups really go....ah yes we keep on using them Very Happy

mike
Back to top
View user's profile Send private message 
solo


Joined: 14 Nov 2013
Posts: 390

PostPosted: Tue 30 Sep 2014, 07:35    Post subject:  

So what does this mean? Are the main iso's that people will download just to try out Puppy Linux still be vonurable, or are they going to be remastered with a patched BASH version?

I mean people will go to a site like puppylinux.org, where they will read that there's this great Linux distro which has -long term support-, and right now they will download a Puppy iso from 2013, with the Shellshock vonurability, and the only way for them to get that fixed is if they have the good sense and awareness to visit sites like this one and read up on matters.

I don't believe that kind of responsibility should be expected from first time users.
Back to top
View user's profile Send private message 
rokytnji

Joined: 20 Jan 2009
Posts: 2288

PostPosted: Tue 30 Sep 2014, 09:01    Post subject:  

solo wrote:
So what does this mean? Are the main iso's that people will download just to try out Puppy Linux still be vonurable, or are they going to be remastered with a patched BASH version?

I mean people will go to a site like puppylinux.org, where they will read that there's this great Linux distro which has -long term support-, and right now they will download a Puppy iso from 2013, with the Shellshock vonurability, and the only way for them to get that fixed is if they have the good sense and awareness to visit sites like this one and read up on matters.

I don't believe that kind of responsibility should be expected from first time users.


What downloadable iso that you know of comes with a Patched bash?
Even Apple just released their fix recently.
I am kinda missing the point here.

But I have always been a slow study type of Linux user.
I don't get gist of the bitch?
Back to top
View user's profile Send private message 
solo


Joined: 14 Nov 2013
Posts: 390

PostPosted: Tue 30 Sep 2014, 09:37    Post subject:  

I'm sorry if my message came off as 'bitchy'. And hey shit, perhaps it was. So, you know, sorry.

Truth be told, I was actually pretty impressed how some people here were 'on the ball' so to speak, and were producing patched bash versions in pet format for various puppy distros real quickly.
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 12802
Location: Stratford, Ontario

PostPosted: Tue 30 Sep 2014, 09:51    Post subject:  

Would someone please explain to me how this vulnerability affects a Puppy CLIENT machine in ANY way?

No generalizations please - specific examples.

The greater long-term risk to Puppy is that bash changes the way it handles exported functions. This would affect just about every gtkdialog app in Puppy.
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Tue 30 Sep 2014, 10:08    Post subject:  

What is #shellshock?


https://shellshocker.net/


For informational purposes only.

Quote:
Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277) is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Sun Sep 28 2014: 1:11AM EST (See patch history), you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.

You can use this website to test if your system is vulnerable, and also learn how to patch the vulnerability so you are no longer at risk for attack.
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Tue 30 Sep 2014, 10:13    Post subject:  

From Symantec.

http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability

Quote:
The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.


Quote:
Aside from Web servers, other vulnerable devices include Linux-based routers that have a Web interface that uses CGI. In the same manner as an attack against a Web server, it may be possible to use CGI to exploit the vulnerability and send a malicious command to the router.


Quote:
For consumers
Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 12802
Location: Stratford, Ontario

PostPosted: Tue 30 Sep 2014, 10:23    Post subject:  

So there is ZERO need for a Puppy user to patch his/her version of bash. Unless, as Geoffrey said above, they are running a server exposed to the world.

Since my router has a decent password on it, I cannot see how this bug makes it any less secure.
Back to top
View user's profile Send private message 
Sylvander

Joined: 15 Dec 2008
Posts: 4422
Location: West Lothian, Scotland, UK

PostPosted: Tue 30 Sep 2014, 10:28    Post subject:  

1. Having installed bash-4.3.27-1.pet...

2. I tried testing my system [Slacko-5.7.0-pae] at the site linked in the post above by james C.
i.e. https://shellshocker.net/

3. My system was invulnerable to exploits 1, 2 & 3, and vulnerable to exploits 4 & 5.

Hey-ho, rcrsn51 says it's irrelevant anyway. Wink
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Tue 30 Sep 2014, 10:29    Post subject:  

Why let any little thing like facts interfere with a good crisis?

Bold emphasis mine...

Quote:
The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.


Quote:
Aside from Web servers, other vulnerable devices include Linux-based routers that have a Web interface that uses CGI. In the same manner as an attack against a Web server, it may be possible to use CGI to exploit the vulnerability and send a malicious command to the router.


http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability

Symantec is a fairly well-respected entity in computer security.
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 12802
Location: Stratford, Ontario

PostPosted: Tue 30 Sep 2014, 10:42    Post subject:  

Exactly. Instead testing to see if the bash bug makes you vulnerable to YOURSELF, you should try attacking some other device on your network that runs a web server, like a wireless printer.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 3 [35 Posts]   Goto page: 1, 2, 3 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0609s ][ Queries: 12 (0.0068s) ][ GZIP on ]