New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
To test if you're vulnerable:
x='() { :;}; echo vulnerable' bash -c 'echo test'
A patched bash is available for Debian and Ubuntu, so just apt-get update && apt-get upgrade.
Thanks both, updated my Debian VPS to the latest Bash and it got fixed.
Not for Squeeze.
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz && tar zxfh bash-4.3.tar.gz && cd bash-4.3 && ./configure && make && make install
The cited link from the mentioned text:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
says:
Unable to find vuln CVE-2014-6271
Something doesn't add up.
Have you enabled the LTS repos?
As I understand it, ongoing Squeeze updates rely on external volunteers. So updates may be slower....
Patch for CentOS 5/6/7 also available, just yum update
http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
Them security updates for Ubuntu LTS. Even Ubuntu 10.04 from 2010 got the patch 2 hours ago. Fast working. :P
I'd rather use the newest build from source tough, what is the current version in the repos?
updated, thanks
Hallelujah for the "MTPuttY / send a script / select all" option.
This isn't exploitable via OpenSSH right? It's a bug in exporting functions, you kind of have to have a bash prompt first to do that (directly or indirectly).
Did that too...
updated
@taronyu @cassa Thanks, but for Squeeze you also need to patch up to 4.3.25 if you're using 4.3 and up to 4.2.48 using bash 4.2 to be safe for now.
Do you have a download of the latest 4.3.25? I can't find it one the site.
Sure:
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/
(oops, this one was meant to be in another thread)
debian packages for squeeze can be obtained here: http://incoming.debian.org/debian-buildd/pool/main/b/bash/
will be available in squeeze-lts in short time probably...
( just wget .deb depending on architecture and dpkg -i )
I already found it, stupid me haha
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz && tar zxfh bash-4.3.tar.gz && cd bash-4.3 && wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025 && \ sed -i 's/#define PATCHLEVEL 0/#define PATCHLEVEL 24/g' patchlevel.h && patch -p0 < bash43-025 && ./configure && make && make install
Not the way you should do it, but it works.
Aand it's in the first post
Please put a disclaimer there, I have no idea if I'm being -extremely- stupid by changing the patch level from 0 to 24 without doing the real patches.
It isn't vulnerable afterwards tough.
Or just 'yum update'
As far as I can see this mostly affects bash scripts ran as cgi, since you need to be authenticated to exploit this, or am I wrong?
Also it seems to be contained to the user this gets executed as?
That was my understanding also.
Anyone else here written a website purely in bash?
I've played with Bash on Balls but just for fun https://github.com/jneen/balls
Hopefully.
For people running Fedora (19/20/21), updates are available: http://koji.fedoraproject.org/koji/packageinfo?packageID=1088 Maybe still making its way to the mirrors, yum couldn't fetch it, I fixed manually.
Example for Fedora 20 64-bit:
Thanks for the heads up. Just spent the last hour patching servers.