Bash security update published by Redhat
Forum
  1. Forums
  2. General
  3. General Discussion
  1. Richard Hordern
  2. Wednesday, 24 September 2014
  3.  Subscribe via email
Hello,

Are you working on implementing the new bash security update ?

https://access.redhat.com/solutions/1207723

Seems quite serious, any ETA on this ?

http://www.webhostingtalk.com/showthread.php?p=9245167

Thanks !
Rate this post:
  1. 26.09.2014 07:09:34
  2. # 1
kernow Accepted Answer
Posts: 72
Joined: 06.08.2010
0
Votes
Undo
Got that test from another website, but will presume your answer is the right one.
  1. 26.09.2014 07:09:29
  2. # 2
Igor Seletskiy Accepted Answer
Posts: 1200
Joined: 09.02.2010
0
Votes
Undo
What exactly do you think it tests? You are basically running:

bash -c "echo vulnerable to CVE-2014-7169"

of course it will print out: vulnerable to CVE-2014-7169
No injection here, bash just executes "echo ...." command.
  1. 26.09.2014 05:09:51
  2. # 3
kernow Accepted Answer
Posts: 72
Joined: 06.08.2010
0
Votes
Undo
I have that version installed.  Here's another test that should work on any nix version:

env var='(){(a)=>\' bash -c "echo vulnerable to CVE-2014-7169"; /bin/true
  1. 26.09.2014 05:09:22
  2. # 4
david majchrzak Accepted Answer
Posts: 8
Joined: 04.04.2014
0
Votes
Undo
Seems to be the correct version though?
https://rhn.redhat.com/errata/RHSA-2014-1306.html
  1. 26.09.2014 05:09:43
  2. # 5
kernow Accepted Answer
Posts: 72
Joined: 06.08.2010
0
Votes
Undo
For redhat based systems the test I mentioned above is here:  https://access.redhat.com/articles/1200223
  1. 26.09.2014 05:09:41
  2. # 6
david majchrzak Accepted Answer
Posts: 8
Joined: 04.04.2014
0
Votes
Undo
afaik it shouldn't print out those error messages kernow.

Check bottom https://access.redhat.com/articles/1212303 for the outputs when not affected.
Perhaps there's a difference of output from redhat and debian?
  1. 26.09.2014 05:09:34
  2. # 7
kernow Accepted Answer
Posts: 72
Joined: 06.08.2010
0
Votes
Undo
Until the fix comes, if you use mod_security add the rules posted here: https://access.redhat.com/articles/1212303
  1. 26.09.2014 04:09:03
  2. # 8
kernow Accepted Answer
Posts: 72
Joined: 06.08.2010
0
Votes
Undo
Yep, me too. but that test should show ( if fixed ):

env x=\'() { :;}; echo vulnerable\'  bash -c \"echo this is a test\"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x\'
this is a test
  1. 26.09.2014 04:09:56
  2. # 9
Tommy K Accepted Answer
Posts: 14
Joined: 03.07.2013
0
Votes
Undo
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
I tried doing a upgrade an hour ago, nothing new, and I did an update ten minutes ago and it downloaded a new bash package.

This is what is installed now:
# yum list installed|grep bash
bash.x86_64                         4.1.2-15.el6_5.2 @cloudlinux-x86_64-server-6
  1. 26.09.2014 04:09:41
  2. # 10
kernow Accepted Answer
Posts: 72
Joined: 06.08.2010
0
Votes
Undo
Not sure it is yet, what do you get from:
env x=\'() { :;}; echo vulnerable\' bash -c \"echo this is a test\"
  1. 26.09.2014 04:09:45
  2. # 11
Tommy K Accepted Answer
Posts: 14
Joined: 03.07.2013
0
Votes
Undo
Update seem to be available now.
  1. 26.09.2014 02:09:47
  2. # 12
Scott Neader Accepted Answer
Posts: 89
Joined: 12.06.2014
0
Votes
Undo
CloudLinux pushed out the first bash update, but now there is a second update available.  My non-CloudLinux boxes got the update directly from the CentOS repo... just waiting for CloudLinux to catch up.

- Scott
  1. 26.09.2014 02:09:08
  2. # 13
Tommy K Accepted Answer
Posts: 14
Joined: 03.07.2013
0
Votes
Undo
Is the updated fix far away Igor?
  1. 25.09.2014 03:09:59
  2. # 14
bitlab Accepted Answer
Posts: 3
Joined: 30.04.2014
0
Votes
Undo
Yeah, figured it out, thank you very much!
  1. 25.09.2014 03:09:57
  2. # 15
david majchrzak Accepted Answer
Posts: 8
Joined: 04.04.2014
0
Votes
Undo
bitlab:
try:

yum clean all 
yum update bash
It also seems you're using yum priorities plugin. Perhaps you're holding bash back by having higher priority for some other repo?
Check priority in your /etc/yum.repos.d/ files and make sure cloudlinux.repo has the highest (lowest value) priority - that is: priority=1
  1. 25.09.2014 03:09:26
  2. # 16
david majchrzak Accepted Answer
Posts: 8
Joined: 04.04.2014
0
Votes
Undo
Igor, will you guys be waiting for upstream for the next patch or will you guys patch it yourselves?

https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23
https://access.redhat.com/security/cve/CVE-2014-7169

Might not be as bad as I thought, so perhaps it\'s worth waiting for upstream patch.
http://www.openwall.com/lists/oss-security/2014/09/24/40
  1. 25.09.2014 03:09:56
  2. # 17
bitlab Accepted Answer
Posts: 3
Joined: 30.04.2014
0
Votes
Undo
Hi there:

I just did exactly that but got this:

yum update bash
Loaded plugins: priorities, protectbase, rhnplugin, security
27 packages excluded due to repository priority protections
0 packages excluded due to repository protections
Setting up Update Process
No Packages marked for Update

Any clues?
  1. 25.09.2014 02:09:31
  2. # 18
Richard Hordern Accepted Answer
Posts: 219
Joined: 19.03.2011
0
Votes
Undo
Thank's ! 

Is there a risk running ldconfig instead of rebooting ? 
  1. 24.09.2014 17:09:45
  2. # 19
Igor Seletskiy Accepted Answer
Posts: 1200
Joined: 09.02.2010
0
Votes
Undo
Make sure you did: yum clean all
All the packages are in the channel.
  1. 24.09.2014 16:09:21
  2. # 20
Sergey Accepted Answer
Posts: 1
Joined: 24.09.2014
0
Votes
Undo
There is no any updates yet. Do you have some ETA?
  • Page :
  • 1
  • 2


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.