Main Edition: BASH vulnerability a.k.a. 'Shellshock'

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
User avatar
karlchen
Level 23
Level 23
Posts: 18177
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by karlchen »

Hello, 420trvlr.
I tried looking for updates and it came back that my system is up to date, however, when I run: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
it still comes back that my system is vulnerable. I have the latest release of Mint (KDE).
Launch mintupdate, the shield icon on the right hand side of the panel. Go to Edit => Preferences. In the tab "Levels" make sure that at minimum the software packages of levels [1], [2] and [3] have been configured to be "visible" and "safe for installation". Once done, click on the large [Refresh] button.
Unless you have already installed the latest bash update(s) without noticing, the list of available updates should include
+ either bash 4.3-7ubuntu1.3 (Mint 17)
+ or bash 4.2-2ubuntu2.3 (Mint 13)
Click on the [install Updates] button.

You can check which bash package has been installed on your system e.g. by opening a terminal window and running the commandline

Code: Select all

dpkg --list bash
Post the screen output of the command here if you would like to get our feedback on the installed bash package. (Up-to-date or not.)

HTH,
Karl
--
Note:
While writing this, yet another bash security update was offered for installation on my Mint 13 here:

Code: Select all

bash (4.2-2ubuntu2.5) precise-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds memory access
    - debian/patches/CVE-2014-718x.diff: guard against overflow and fix
      off-by-one in bash/parse.y.
    - CVE-2014-7186
    - CVE-2014-7187
  * SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
    - debian/patches/variables-affix.diff: add prefixes and suffixes in
      bash/variables.c.

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 26 Sep 2014 13:27:53 -0400
I would be amazed if a corresponding update had not been published for Mint 17 as well. Only thing is I cannot easily check as long as I am logged in to Mint 13.
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
killer de bug

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by killer de bug »

4.3-7ubuntu1.4
Published in trusty-updates 25 minutes ago
Published in trusty-security 1 hour ago

bash (4.3-7ubuntu1.4) trusty-security; urgency=medium

* SECURITY UPDATE: out-of-bounds memory access
- debian/patches/CVE-2014-718x.diff: guard against overflow and fix
off-by-one in parse.y and y.tab.c.
- CVE-2014-7186
- CVE-2014-7187
* SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
- debian/patches/variables-affix.diff: add prefixes and suffixes in
variables.c.
-- Marc Deslauriers <email address hidden> Fri, 26 Sep 2014 12:57:19 -0400

Available diffs

diff from 4.3-7ubuntu1.3 to 4.3-7ubuntu1.4 (3.4 KiB)
This one is for LM17 ;)

Edit: Karlchen, you have all the changelog here: https://launchpad.net/ubuntu/+source/bash/+changelog
turtlebay777

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by turtlebay777 »

killer de bug wrote:
frisil wrote:Older (obsolete) versions can be patched easily, I just found a way:
This is advertisement, period! You're not the center of the world. This sentence makes people believe they can fix their obsolete systems and it's wrong. This has nothing to do here and it's dangerous.
Funny to see you deleted your insults... Nice bravery...

turtlebay777 wrote: Unless you fancy releasing something smaller for us?
There are so many GNU/Linux systems doing this, use google and you will find them... And sorry, I don't help people insulting me...
Let me guide you so take a hold of my hand and read along with me ...
killer de bug wrote:
frisil wrote:Older (obsolete) versions can be patched easily, I just found a way:
This is advertisement, period!
Did you see who said that? Was it me? No! It was someone else!

Do you possibly need an opticians appointment?
killer de bug

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by killer de bug »

turtlebay777 wrote: Do you possibly need an opticians appointment?
My remarks were not for you first. You took them for you, this is your problem. I then gave the exact sentence I was referring after you requested some details. By the way, when I requested an apt policy it was not for you either... But you decided to answer since you take everything for you...

That you insulted me then is my problem. So now, help yourself and leave me in peace please. As a prick I don't have time to waste for you.
niowluka

Re: Recent bash vulnerability and patch questions

Post by niowluka »

nomko wrote:Another crappy story that has been blown up out of proportion....
A beacon of light in the darnkess of utter media madness...
User avatar
karlchen
Level 23
Level 23
Posts: 18177
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by karlchen »

Hello, turtlebay777. Hello, killer de bug.

Although it will be possible to patch bash on outdated Mint editions, I totally agree with killer de bug: This is not the way to go.
Replacing a vulnerable bash on an outdated Mint edition will give you a false feeling of being safe. But in fact you have just eliminated one single vulnerability.
There will be more unpatched vulnerabilities in your outdated system which you are not aware of. Even the makers of the outdated Mint edition may not be aware of these unpatched vulnerabilities.
The reason is simple: When a Mint release reaches the end of its supported life, no-one will bother to check whether the outdated Mint release is affected by vulnerabilities which are detected and fixed in supported Mint releases after the EOL of your oudated release.

Sticking with unsupported Mint releases because your hardware cannot run the more recent releases is a bad reason. There are Linux distributions which have been designed to run on poor hardware and which are still maintained.

Kind regards,
Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
User avatar
karlchen
Level 23
Level 23
Posts: 18177
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by karlchen »

Hello, turtlebay777. Hello, killer de bug.

As you are doing so in public, I may as well re-act publically as well: Both of you are hereby requested to stay away from further personal attacks.

This is especially to you, Mr T.:
No personal insults. No swear words. - You are lucky you removed that part so fast, or you might have been given a week's break here in the forum.

Kind regards,
Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
User avatar
karlchen
Level 23
Level 23
Posts: 18177
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by karlchen »

Hi, killer de bug.
Edit: Karlchen, you have all the changelog here: https://launchpad.net/ubuntu/+source/bash/+changelog
Thanks for the link. Bookmarked. :D
At the time being, after the most recent bash patch is merely before the next bash patch. :wink:

Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
User avatar
karlchen
Level 23
Level 23
Posts: 18177
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Recent bash vulnerability and patch questions

Post by karlchen »

niowluka wrote:
nomko wrote:Another crappy story that has been blown up out of proportion....
A beacon of light in the darnkess of utter media madness...
Well, the hype about the recent bash vulnerabilities might have a positive side effect, in case it makes more users aware that
+ 100% security does not exist
+ not even on a Linux system
+ applying security fixes is a MUST, not merely an option.
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
frisil
Level 3
Level 3
Posts: 146
Joined: Wed Feb 04, 2009 10:24 pm

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by frisil »

@killer de bug

Here's what you requested:

Code: Select all

bash:
  Installiert:           4.3-7ubuntu1.3
  Installationskandidat: 4.3-7ubuntu1.3
  Versionstabelle:
 *** 4.3-7ubuntu1.3 0
        100 /var/lib/dpkg/status
     4.2-5ubuntu3 0
        500 http://old-releases.ubuntu.com/ubuntu/ raring/main amd64 Packages
Oh, and I didn't advertise using old releases, I explicitly said: "no more security updates, keep using at your own risk!" This sounds more like a warning to me…
pe1800
Level 2
Level 2
Posts: 54
Joined: Wed Feb 05, 2014 4:04 pm
Location: Toronto Canada

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by pe1800 »

frisil wrote:Older (obsolete) versions can be patched easily, I just found a way:

regardless of which Ubuntu based system you use, change your sources list to:

Code: Select all

#for bash only update 
deb http://de.archive.ubuntu.com/ubuntu trusty main restricted universe multiverse 
deb http://de.archive.ubuntu.com/ubuntu trusty-updates main restricted universe multiverse 
deb http://de.archive.ubuntu.com/ubuntu trusty-security main restricted universe multiverse 
deb http://de.archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse 
open a root terminal and execute:

Code: Select all

apt-get update 
apt-get install --only-upgrade bash 
now change your sources list back to what it was, run "apt-get update" again and you're done! I just tried this on my Mint Olivia and it worked fine.

btw, for those who don't know: It's still possible to install stuff on old versions, even if the original repos are gone, because Ubuntu has these:

Code: Select all

deb http://old-releases.ubuntu.com/ubuntu/ raring main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ raring-updates main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ raring-security main restricted universe multiverse
Not just raring, other obsolete versions, too. But no new security updates, so keep using at your own risk.
This is good news! I run Mint 16. But forgive me, I am a newbie and not very knowledgeable. Where do I find "sources"? And then, do I execute each line of

Code: Select all

apt-get update 
apt-get install --only-upgrade bash 
one after the other? And, after having changed "sources" back to what is was before, do I just run "apt-get update"?

Thank you for your help,
pe1800
killer de bug

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by killer de bug »

pe1800 wrote: This is good news! I run Mint 16. But forgive me, I am a newbie and not very knowledgeable.
http://forums.linuxmint.com/viewtopic.php?f=90&t=173378
frisil
Level 3
Level 3
Posts: 146
Joined: Wed Feb 04, 2009 10:24 pm

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by frisil »

@ pe1800

If you don't understand my instructions, don't do it! Be on the safe side and upgrade to a new, non-obsolete version. Only keep an old version if you know what you're doing and what risks you take in doing so. And only if you think the risks are acceptable because the PC which runs the obsolete version is only used for certain tasks. If you use it as normal desktop PC for everything, ALWAYS use an up-to-date version, not an obsolete one.
pe1800
Level 2
Level 2
Posts: 54
Joined: Wed Feb 05, 2014 4:04 pm
Location: Toronto Canada

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by pe1800 »

frisil wrote:@ pe1800

If you don't understand my instructions, don't do it! Be on the safe side and upgrade to a new, non-obsolete version. Only keep an old version if you know what you're doing and what risks you take in doing so. And only if you think the risks are acceptable because the PC which runs the obsolete version is only used for certain tasks. If you use it as normal desktop PC for everything, ALWAYS use an up-to-date version, not an obsolete one.
Thank you. Will do as you recommend. Actually, I have had the DVD with 17 ready for a little while. I will not upgrade but install 17 from scratch, on another hard drive with plenty of space.

Cheers,
Paul
acerimusdux
Level 5
Level 5
Posts: 635
Joined: Sat Dec 26, 2009 3:36 pm

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by acerimusdux »

It looks like the latest versions of bash installed today no longer throw the illegal function errors, which is good. They just ignore the bad function, and treat it as a variable. So now if you test this, it will say "vulnerable" on a vulnerable system, and nothing at all on an updated system. Like this:

Code: Select all

~ $ export x="() { :;}; echo vulnerable"; bash -c :
~ $
User avatar
sdibaja
Level 5
Level 5
Posts: 900
Joined: Sun May 08, 2011 12:57 pm
Location: Baja California, Mexico

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by sdibaja »

:?
some of us are still waiting for LMDE...
just guessing it is one of these:
1. not broken
2. not highly important
3. rather complex
4. we don't matter :( (humor)

time will tell...
Peter
Mate desktop https://wiki.debian.org/MATE
Debian GNU/Linux operating system: https://www.debian.org/download
killer de bug

Re: BASH vulnerability a.k.a. 'Shellshock'

Post by killer de bug »

sdibaja wrote::?
some of us are still waiting for LMDE...
killer de bug wrote:By the way, LMDE will be patched as soon as a final patch will be available in Debian Testing.
Source is the team... :wink:
It was pushed this afternoon in Testing... https://packages.qa.debian.org/b/bash/n ... 3912Z.html
If you really badly need it, mainly because you have a server, you can take it there. Or in Sid. Otherwise you will have it probably at the end of the weekend/beginning of next week.
EliTag

Re: Vulnerability in Bash

Post by EliTag »

kyphi wrote:It has already been fixed in all versions of Linux Mint. Check your Update Manager.
It's in my update manager but i can't dl it. says "not found"
User avatar
karlchen
Level 23
Level 23
Posts: 18177
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'

Post by karlchen »

Hello, EliTag.

Actually, I cannot quite imagine what might be going on in your Mint Update Manager.
You might like to click the big [Refresh] button in your Mint Update Manager. This will query the software repositories again and refresh your local list of available updates. Provided the list is not empty click on [Install Updates].
Once Mint Update Manager has finished its job, open a terminal window. Type

Code: Select all

dpkg --list bash
and post the complete screen output here. This will help us tell whether you have got the most recent bash or not.

Kind regards,
Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
EliTag

Re: Main Edition: BASH vulnerability a.k.a. 'Shellshock'

Post by EliTag »

karlchen wrote:Hello, EliTag.

Actually, I cannot quite imagine what might be going on in your Mint Update Manager.
You might like to click the big [Refresh] button in your Mint Update Manager. This will query the software repositories again and refresh your local list of available updates. Provided the list is not empty click on [Install Updates].
Once Mint Update Manager has finished its job, open a terminal window. Type

Code: Select all

dpkg --list bash
and post the complete screen output here. This will help us tell whether you have got the most recent bash or not.

Kind regards,
Karl
I thought i had done that, but I guess I did not. Thanks for the help, It worked :)
Post Reply

Return to “Releases & Announcements”