Main Edition: BASH vulnerability a.k.a. 'Shellshock'

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Post Reply
User avatar
Pilosopong Tasyo
Level 6
Level 6
Posts: 1432
Joined: Mon Jun 22, 2009 3:26 am
Location: Philippines

Main Edition: BASH vulnerability a.k.a. 'Shellshock'

Post by Pilosopong Tasyo »

:!: Several topics discussing this issue recently emerged in the forum. These similar topics have been merged here and will be on sticky for some time. If any member sees a new thread that discusses the same/similar issue, kindly report it so we can take the appropriate action. Thank you all for your cooperation. :!:

Summary of need to know information:
  • Linux Mint 13 has been fully patched: just install level 3 updates from Update Manager to get bash update 4.2-2ubuntu2.6 (changelog).
    This fixes all reported vulnerabilities (CVE 2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278).
  • Linux Mint 17 has been fully patched: just install level 3 updates from Update Manager to get bash update 4.3-7ubuntu1.5 (changelog).
    This fixes all reported vulnerabilities (CVE 2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278).
  • Other versions of Linux Mint are obsolete and will not receive security updates. Either patch bash manually, or install Linux Mint 13 or 17. More information here.
  • LMDE is not yet patched, but you can get a patched version of bash from Debian sid. See this post for details. You will find a separate discussion about the LMDE issue here.
    Update 30-Sept-2014: User monsta reports: "bash 4.3-9.2 is in LMDE now, the security hole is patched there."
The bash vulnerability primarily affects users running server software that uses shell scripts (e.g., Apache web server with CGI scripts), where the shell scripts are poorly written (no sanitizing of user input; rookie web developer mistake), the user has changed the default sh shell from dash to bash (that's right; bash isn't the default sh shell), and the server software is reachable from the Internet.

In other words, as home users not running any server software that is reachable from the Internet, this bash vulnerability doesn't immediately affect you.
Last edited by Pilosopong Tasyo on Wed Oct 15, 2014 10:43 pm, edited 16 times in total.
Reason: Issue has finished running its course. Removing sticky status.
o Give a man a fish and he will eat for a day. Teach him how to fish and he will eat for a lifetime!
o If an issue has been fixed, please edit your first post and add the word [SOLVED].
Ubulindy

Vulnerability in Bash

Post by Ubulindy »

This vuln just came in my RSS. Vulnerability in Bash: http://arstechnica.com/security/2014/09 ... -nix-in-it
Sure enough, I ran the code:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" it came back:
vulnerable
this is a test
Reports indicate Ubuntu has patched this as of today. Can we expect an update for LMDE soon?
User avatar
kyphi
Level 9
Level 9
Posts: 2735
Joined: Sat Jul 09, 2011 1:14 am
Location: The Hunter Valley, Australia

Re: bash cve 2014-6271

Post by kyphi »

The patch has already been released and installed. Check your Update Manager.

LM 13 was great indeed, I enjoyed using it tremendously. LM 17 is even greater, in my opinion.
Linux Mint 21.3 Cinnamon
User avatar
kyphi
Level 9
Level 9
Posts: 2735
Joined: Sat Jul 09, 2011 1:14 am
Location: The Hunter Valley, Australia

Re: Vulnerability in Bash

Post by kyphi »

It has already been fixed in all versions of Linux Mint. Check your Update Manager.
Linux Mint 21.3 Cinnamon
Ubulindy

Re: Vulnerability in Bash

Post by Ubulindy »

I posted in LMDE (Linux Mint Debian Edition), this vuln was just made known today, and yes, I have updated, no update as of yet for this. Updates are far and few between. LMDE is based on "testing" Not Ubuntu based like the regular Mint :)
User avatar
kyphi
Level 9
Level 9
Posts: 2735
Joined: Sat Jul 09, 2011 1:14 am
Location: The Hunter Valley, Australia

Re: Vulnerability in Bash

Post by kyphi »

Here it says that Debian has plugged the security hole in bash:

http://www.zdnet.com/unixlinux-bash-cri ... 000034021/

Quoted from the above article published yesterday (24th):

At this time, only Debian and Red Hat appear to have packaged patches ready to go.

And, yes, I used Debian for some time and am familiar with the differences.
Linux Mint 21.3 Cinnamon
amasa

What's this about bash?

Post by amasa »

There are reports today that there is a security hole in bash, and that the sky will soon fall in. Does this affect us on Mint?
Ubulindy

Re: Vulnerability in Bash

Post by Ubulindy »

Yes, based on this: https://security-tracker.debian.org/tra ... -2014-6271 ..... some debians have been patched and others haven't. LMDE is based on "testing" which is "Jessie" I believe, and it looks as though the fix is not out yet. Guess we'll just have to wait on the fix to come through.
User avatar
Pierre
Level 21
Level 21
Posts: 13192
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Linux has a catastrophic flaw...

Post by Pierre »

as in:
http://arstechnica.com/security/2014/09 ... nix-in-it/

"Patches issued:
Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
CentOS (versions 5 through 7)
Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
Debian
Opensuse 13.1

The patch for Opensuse 13.1 was applied before we knew about the bug. - Too bad Microsoft doesn't work that fast."
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
killer de bug

Re: Vulnerability in Bash

Post by killer de bug »

Take the upgrade in Sid. :wink:
Ubulindy

Re: Vulnerability in Bash

Post by Ubulindy »

killer de bug wrote:Take the upgrade in Sid. :wink:
How do I go about doing that?
User avatar
jimallyn
Level 19
Level 19
Posts: 9075
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: What's this about bash?

Post by jimallyn »

Run the Update Manager, the fix is available.
“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan
amasa

Re: What's this about bash?

Post by amasa »

Yes, I had checked the update manager and saw an item for bash so I ran it but I was not sure whether that was the fix. So that's all good then.
jonniosaurus

Shell Shock vulnerability

Post by jonniosaurus »

Quick question,

how does one manually patch this with this: http://ftp.gnu.org/pub/gnu/bash/bash-4. ... bash42-048

i tried wget http://ftp.gnu.org/pub/gnu/bash/bash-4. ... bash42-048

and then patch -p0 bin\bash bash42-048 but it didn't work.

man i suck at bash :(
niowluka

Re: What's this about bash?

Post by niowluka »

amasa wrote:There are reports today that there is a security hole in bash, and that the sky will soon fall in.
No, it will not fall. From the reports in the media the vulnerability existed for a while, there are no known existing exploits and it's the webservers that are most at risk.

So no need to panick just yet :wink:

BTW, kudos to Ubuntu and Mint teams for getting the patch ready so quickly. Thanks !
ktheking

Re: Shell Shock vulnerability

Post by ktheking »

You might get lucky trying to use the ubuntu guide here : http://www.ubuntu.com/usn/usn-2362-1/

Source : http://www.csoonline.com/article/268726 ... -6271.html
eanfrid

Re: Shell Shock vulnerability

Post by eanfrid »

Just run MintUpdate...
jonniosaurus

Re: Shell Shock vulnerability

Post by jonniosaurus »

mint update hasn't fixed it. i'm getting busted running:
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
killer de bug

Re: Vulnerability in Bash

Post by killer de bug »

You add sid repo to your sources.list, you upgrade the package and you remove sid repo...
User avatar
linx255
Level 5
Level 5
Posts: 668
Joined: Mon Mar 17, 2014 12:43 am

Recent bash vulnerability and patch questions

Post by linx255 »

- Mint 17 Mate 64-bit

According to NIST, vulnerability CVE-2014-6271 is described: "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution."

csoonline.com says: "An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation. This is fire bad."

I have never knowingly used those features and don't know anything about the environment variables, but my questions are:

1) Is "nefarious" accurate or should they have used "careless" in describing the function "which can enable network exploitation" ? Did they really mean an arbitrary environment variable itself is nefarious? Did the arbitrarily named environment variables originate from bash features or the attacker?
2) Are any of these features used in an automated / background way that I wouldn't necessarily see on my screen? ( I.e. upon boot, or running Update Manager, or some other program )
3) Would attacks have been effective against a machine with SELinux installed with one of the two default configurations? Apparently no authorization was required for the code injection.
4) Should I be asking different questions here?

Thanks
- I'm running Mint 18 Mate 64-bit
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash
Post Reply

Return to “Releases & Announcements”