"Shell Shock" Cure for all pre-October 2014 Pups
"Shell Shock" Cure for all pre-October 2014 Pups
September 27, 2014 edited
Edit: October 7, 2014: As far as I can tell, there are now for all Pups pets available which plug the Shell Shock bug; Get them here: http://murga-linux.com/puppy/viewtopic. ... 075#801075
Hi All,
If your Puppy was published (made available) before September 26, 2014, it is vulnerable to the "Shell Shock" Bug. This is NOT just a Puppy vulnerability. All operating systems are compromised That bug potentially can enable an intruder to gain access to all your data, and take total control of your computer. Unless your router was also manufactured after that date, its firewall may also be compromised by the Shell Shock Bug.
For the full story, and to apply an easy cure for the bug, read thru the short thread starting here: http://murga-linux.com/puppy/viewtopic. ... 578#800578.
Short synopsis and comments:
Bash is one of software's building blocks. It is used in almost everything: your router, your operating system -- whether you're running Windows. Mac or Linux-- probably your android appliances and i-Stuff. The vulnerability has been around for about 25 years: it seems someone left a back door "for testing purposes" open. About three days ago, the discovery of that vulnerability was announced. The Linux world has quickly responded. Red Hat was the first to devise a solution, and being open source, announced it. Thank you Red Hat. Patches now exist, I believe, for all versions of Puppy, based on the work done by Ubuntu, Slackware, and in a couple of instances relating to T2 Built Pups our own Devs, Geoffrey, dejan555, and anikin. Thanks, Guys.
The patches are not a complete solution to the bug. So keep your eyes open for that.
Since your router may be compromised, be sure to turn on the firewall of your operating system.
Windows has yet to respond. And whether it will respond with a "bug-fix" for XP, or any version prior to Windows 7 is questionable. Also questionable is whether any such fix will work under Wine. See, http://wiki.winehq.org/SecuringWine. Wine has shrugged off any real concern for security because most Linux distros do not let you automatically run applications as "root" --think Administrator in the Windows' world. Puppy does. So until matters are clarified, I recommend being cautious about running windows programs under wine. Several years ago, wine was almost an essential component of any Linux OS, because Linux applications were not as far advanced as those available under XP. That is not the case today. Unless you're running specialized business programs, there is only one or two areas I know of in which you won't find some application as good as, and often better than, windows programs purchased by consumers. Taxes. As yet, there is only one LInux software to prepare your US or State taxes. [See, http://opentaxsolver.sourceforge.net/, which I haven't tried]. TurboTax, TaxAct and H&R Block's installable versions won't run under Wine, anyway, and its seems that changes last year preclude the use of online versions.
I don't play games, so perhaps there are games which will run under wine whose equivalents can't be found under Linux. But if you must use Wine, might I suggest that you setup a separate Puppy just for those things you can't live without. I doubt it will use up more than a couple of Gbs of your hard-drive, even with shinobar's "uncompressed" wine-portable. Or install that Pup to a USB-Key.
mikesLR
Edit: October 7, 2014: As far as I can tell, there are now for all Pups pets available which plug the Shell Shock bug; Get them here: http://murga-linux.com/puppy/viewtopic. ... 075#801075
Hi All,
If your Puppy was published (made available) before September 26, 2014, it is vulnerable to the "Shell Shock" Bug. This is NOT just a Puppy vulnerability. All operating systems are compromised That bug potentially can enable an intruder to gain access to all your data, and take total control of your computer. Unless your router was also manufactured after that date, its firewall may also be compromised by the Shell Shock Bug.
For the full story, and to apply an easy cure for the bug, read thru the short thread starting here: http://murga-linux.com/puppy/viewtopic. ... 578#800578.
Short synopsis and comments:
Bash is one of software's building blocks. It is used in almost everything: your router, your operating system -- whether you're running Windows. Mac or Linux-- probably your android appliances and i-Stuff. The vulnerability has been around for about 25 years: it seems someone left a back door "for testing purposes" open. About three days ago, the discovery of that vulnerability was announced. The Linux world has quickly responded. Red Hat was the first to devise a solution, and being open source, announced it. Thank you Red Hat. Patches now exist, I believe, for all versions of Puppy, based on the work done by Ubuntu, Slackware, and in a couple of instances relating to T2 Built Pups our own Devs, Geoffrey, dejan555, and anikin. Thanks, Guys.
The patches are not a complete solution to the bug. So keep your eyes open for that.
Since your router may be compromised, be sure to turn on the firewall of your operating system.
Windows has yet to respond. And whether it will respond with a "bug-fix" for XP, or any version prior to Windows 7 is questionable. Also questionable is whether any such fix will work under Wine. See, http://wiki.winehq.org/SecuringWine. Wine has shrugged off any real concern for security because most Linux distros do not let you automatically run applications as "root" --think Administrator in the Windows' world. Puppy does. So until matters are clarified, I recommend being cautious about running windows programs under wine. Several years ago, wine was almost an essential component of any Linux OS, because Linux applications were not as far advanced as those available under XP. That is not the case today. Unless you're running specialized business programs, there is only one or two areas I know of in which you won't find some application as good as, and often better than, windows programs purchased by consumers. Taxes. As yet, there is only one LInux software to prepare your US or State taxes. [See, http://opentaxsolver.sourceforge.net/, which I haven't tried]. TurboTax, TaxAct and H&R Block's installable versions won't run under Wine, anyway, and its seems that changes last year preclude the use of online versions.
I don't play games, so perhaps there are games which will run under wine whose equivalents can't be found under Linux. But if you must use Wine, might I suggest that you setup a separate Puppy just for those things you can't live without. I doubt it will use up more than a couple of Gbs of your hard-drive, even with shinobar's "uncompressed" wine-portable. Or install that Pup to a USB-Key.
mikesLR
Last edited by mikeslr on Wed 08 Oct 2014, 00:40, edited 1 time in total.
Confused 2 -
does this mean that all the luvly puppies that have been made over the last 5,6,7 or so years are useless and should be sent to the knackers yard in the sky?
Please help me/us to understand - is this a back door?
Are we safe?
Could we make a new “shell shock
does this mean that all the luvly puppies that have been made over the last 5,6,7 or so years are useless and should be sent to the knackers yard in the sky?
Please help me/us to understand - is this a back door?
Are we safe?
Could we make a new “shell shock
[b]Asus[/b] 701SD. 2gig ram. 8gb SSD. [b]IBM A21m[/b] laptop. 192mb ram. PIII Coppermine proc. [b]X60[/b] T2400 1.8Ghz proc. 2gig ram. 80gb hdd. [b]T41[/b] Pentium M 1400Mhz. 512mb ram.
If your a billion dollar company running a web server on your free puppy linux distro, then it would be wise to update bash.
https://www.youtube.com/watch?v=ArEOVHQu9nk
Else it's not that important, but if it can be fixed why not fix it
https://www.youtube.com/watch?v=ArEOVHQu9nk
Else it's not that important, but if it can be fixed why not fix it
[b]Carolina:[/b] [url=http://smokey01.com/carolina/pages/recent-repo.html]Recent Repository Additions[/url]
[img]https://dl.dropboxusercontent.com/s/ahfade8q4def1lq/signbot.gif[/img]
[img]https://dl.dropboxusercontent.com/s/ahfade8q4def1lq/signbot.gif[/img]
So what does this mean? Are the main iso's that people will download just to try out Puppy Linux still be vonurable, or are they going to be remastered with a patched BASH version?
I mean people will go to a site like puppylinux.org, where they will read that there's this great Linux distro which has -long term support-, and right now they will download a Puppy iso from 2013, with the Shellshock vonurability, and the only way for them to get that fixed is if they have the good sense and awareness to visit sites like this one and read up on matters.
I don't believe that kind of responsibility should be expected from first time users.
I mean people will go to a site like puppylinux.org, where they will read that there's this great Linux distro which has -long term support-, and right now they will download a Puppy iso from 2013, with the Shellshock vonurability, and the only way for them to get that fixed is if they have the good sense and awareness to visit sites like this one and read up on matters.
I don't believe that kind of responsibility should be expected from first time users.
What downloadable iso that you know of comes with a Patched bash?solo wrote:So what does this mean? Are the main iso's that people will download just to try out Puppy Linux still be vonurable, or are they going to be remastered with a patched BASH version?
I mean people will go to a site like puppylinux.org, where they will read that there's this great Linux distro which has -long term support-, and right now they will download a Puppy iso from 2013, with the Shellshock vonurability, and the only way for them to get that fixed is if they have the good sense and awareness to visit sites like this one and read up on matters.
I don't believe that kind of responsibility should be expected from first time users.
Even Apple just released their fix recently.
I am kinda missing the point here.
But I have always been a slow study type of Linux user.
I don't get gist of the bitch?
Would someone please explain to me how this vulnerability affects a Puppy CLIENT machine in ANY way?
No generalizations please - specific examples.
The greater long-term risk to Puppy is that bash changes the way it handles exported functions. This would affect just about every gtkdialog app in Puppy.
No generalizations please - specific examples.
The greater long-term risk to Puppy is that bash changes the way it handles exported functions. This would affect just about every gtkdialog app in Puppy.
What is #shellshock?
https://shellshocker.net/
For informational purposes only.
https://shellshocker.net/
For informational purposes only.
Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277) is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Sun Sep 28 2014: 1:11AM EST (See patch history), you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.
You can use this website to test if your system is vulnerable, and also learn how to patch the vulnerability so you are no longer at risk for attack.
From Symantec.
http://www.symantec.com/connect/blogs/s ... nerability
http://www.symantec.com/connect/blogs/s ... nerability
The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.
Aside from Web servers, other vulnerable devices include Linux-based routers that have a Web interface that uses CGI. In the same manner as an attack against a Web server, it may be possible to use CGI to exploit the vulnerability and send a malicious command to the router.
For consumers
Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.
1. Having installed bash-4.3.27-1.pet...
2. I tried testing my system [Slacko-5.7.0-pae] at the site linked in the post above by james C.
i.e. https://shellshocker.net/
3. My system was invulnerable to exploits 1, 2 & 3, and vulnerable to exploits 4 & 5.
Hey-ho, rcrsn51 says it's irrelevant anyway.
2. I tried testing my system [Slacko-5.7.0-pae] at the site linked in the post above by james C.
i.e. https://shellshocker.net/
3. My system was invulnerable to exploits 1, 2 & 3, and vulnerable to exploits 4 & 5.
Hey-ho, rcrsn51 says it's irrelevant anyway.
Why let any little thing like facts interfere with a good crisis?
Bold emphasis mine...
Symantec is a fairly well-respected entity in computer security.
Bold emphasis mine...
The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.
http://www.symantec.com/connect/blogs/s ... nerabilityAside from Web servers, other vulnerable devices include Linux-based routers that have a Web interface that uses CGI. In the same manner as an attack against a Web server, it may be possible to use CGI to exploit the vulnerability and send a malicious command to the router.
Symantec is a fairly well-respected entity in computer security.
Good point. See https://access.redhat.com/articles/1200223, the "Common Configuration examples" section. The only thing which is probably vulnerable is CUPS - assuming that the CUPS webserver is open for everybody for attack. For some others who do remoting a lot, SSH may be a vector. The other likely problem is "dhclient", but puppies don't use dhclient, they use "dhcpcd" instead. I wonder whether dhcpcd has similar env issues like dhclient.rcrsn51 wrote:So there is ZERO need for a Puppy user to patch his/her version of bash. Unless, as Geoffrey said above, they are running a server exposed to the world.
Since my router has a decent password on it, I cannot see how this bug makes it any less secure.
Did you read about a guy who made this Canon printer plays Doom (no, I'm not joking - he actually compromised the printer's firmware and upload Doom game to it )Exactly. Instead testing to see if the bash bug makes you vulnerable to YOURSELF, you should try attacking some other device on your network that runs a web server, like a wireless printer.
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]
I think the real point is that you can't trust the whole internet (how many unpatched linux servers are there?) for serious tasks such as home-banking and e-commerce. I use internet to play but I fear to use it for serious tasks even business e-mails. I stopped using debit cards on internet after many frauds. I trust my online bank only beacause I hope they are more scrupolous than me in ai security measures. I patch my puppy but the problem is out there.
If you are getting your IP address from a malicious DHCP server, you probably have bigger problems than shellshock.The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.
Sometimes you don't have control over which DHCP server you use (e.g. when you use free wifi from McDonalds or the like). If they are infected, then they can get to your laptop to. At the end of the day, like everything in life, the risks depend one your lifestylercrsn51 wrote:If you are getting your IP address from a malicious DHCP server, you probably have bigger problems than shellshock.The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]
True. But is there any evidence that updating your own bash would protect you? A more likely scenario is that they would give you an IP address on a malicious network that would try to harvest your personal information.jamesbond wrote:Sometimes you don't have control over which DHCP server you use (e.g. when you use free wifi from McDonalds or the like). If they are infected, then they can get to your laptop to.