Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: ghorst352 on September 25, 2014, 09:51:27 PM
-
Just seeing if there has been any discussion regarding this vulnerability that just came out.
https://www.us-cert.gov/ncas/alerts/TA14-268A
-
You mean, like this topic, posted yesterday?
http://forums.contribs.org/index.php/topic,51137.0.html
There's an update already out for SME 8 and 9. Install it and you're covered.
-
Can someone tell me the steps to install this? My software installer pane shows the system is up to date and when I do a 'yum install' I get back 'No Packages marked for Update'.
Also, is there a way to get the current version of Bash?
TIA
-
Also, is there a way to get the current version of Bash?
Maybe you have been caught in a mid air collision of package release, mirror sync and your yum.
Please check the Bash version by 'rpm -q bash' and see in the main post if you have the latest.
-
'rpm -q bash' yields --> bash-3.2-33.el5_10.4
I saw you mention bash version 4.1.2 in another post but is that for CentOS 6? The version I have above is ok for CentOS 5 (SME 8.1), right?
-
as per http://lists.centos.org/pipermail/centos-announce/2014-September/020594.html for SME8
-
Thank you very much for the assistance!
-
Is there any reason why using bash --version is different than rpm -q bash command? I bring this up as an alarm that is on the redhat forums so I would imagine somebody knows about this or perhaps I have been misguided from the forum. Thanks.
[root@mail ~]# rpm -q bash
bash-3.2-33.el5_10.4
[root@mail ~]# bash --version
GNU bash, version 3.2.25(1)-release (i386-redhat-linux-gnu)
-
Nevermind, this is a noted issue with the command not reflecting the correct version.
https://www.centos.org/forums/viewtopic.php?f=24&t=48648
-
There is a shellscript out to check the bash if vulnerable or not
https://github.com/hannob/bashcheck
Rolf
-
Thanks for posting this.
There is a shellscript out to check the bash if vulnerable or not
https://github.com/hannob/bashcheck
Rolf
-
Thanks for posting this.
Why please? What will you do with any outcome?
-
Not much. :-P it's more for my peace of mind than anything else. Maybe learn a little more about my server and how to maintain it? I just appreciate that people are willing to help out here.
-
Replying here as this is where the topic dealing with shellshock for SME9 linked me to...
Anyways I've looked and I do show the new version of bash (bash-4.1.2-15.el6_5.2) but when check against my server it still shows a vulnerability namely "CVE-2014-6277" as shown from the shellshock test from shellshocker.net. Note: I added the colors below
root@sme-3 ~]# curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
101 2533 101 2533 0 0 6305 0 --:--:-- --:--:-- --:--:-- 12728
CVE-2014-6271 (original shellshock): not vulnerable
bash: line 16: 5024 Segmentation fault bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
[root@sme-3 ~]# exit
What do I need to do to fix that issue or is it something I don't need to worry about?
-
you should/could search for CVE-2014-6277 in RH's bugzilla and with google..
we can only wait for upstream bugfix
-
I don't think RedHat is working on this any more:
Statement
Not affected. This issue did not affect the versions of bash as shipped with Red Hat Enterprise Linux 4, 5, 6, and 7 as it was mitigated by the following Red Hat Security Advisories: RHSA-2014:1306, RHSA-2014:1311, RHSA-2014:1312.
The RedHat CVE page includes a link to this post at Full Disclosure:
http://seclists.org/fulldisclosure/2014/Oct/9
Suggesting:
To test, execute
this command from within a bash shell:
foo='() { echo not patched; }' bash -c foo
If you see "not patched", you probably want upgrade immediately. If
you see "bash: foo: command not found", you're OK.
My SME 8 and SME 9 servers all report 'bash: foo: command not found'.
-
Thank you for the Info....I feel better about it now.
-
I don't think RedHat is working on this any more:
CVE-2014-6277 is still an open issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1147189#c7
-
Anyways I've looked and I do show the new version of bash (bash-4.1.2-15.el6_5.2) but when check against my server it still shows a vulnerability namely "CVE-2014-6277" as shown from the shellshock test from shellshocker.net.
Please note that it is unwise to run a test like that via the root account. That's giving whoever controlls that website remote control of your server.
This is a better idea:
[root@sdfdsf tmp]# chpst -u nobody /bin/bash
bash: /root/.bashrc: Permission denied
bash-4.1$ curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
101 2533 101 2533 0 0 748 0 0:00:03 0:00:03 --:--:-- 44438
CVE-2014-6271 (original shellshock): VULNERABLE
bash: line 16: 12730 Segmentation fault bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): VULNERABLE
CVE-2014-7169 (taviso bug): VULNERABLE
bash: line 49: 12747 Segmentation fault bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
bash: line 129: syntax error near `x129'
bash: line 129: `for x129 in ; do :'
CVE-2014-7187 (nested loops off by one): VULNERABLE
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
bash-4.1$ exit
exit
[root@sdfdsf tmp]#
-
Looks like they updated the test script as I am now getting good results across the board
See the final comment discussing the "bug" at https://bugzilla.redhat.com/show_bug.cgi?id=1147189#c22