Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 17 Sep 2019, 21:31
All times are UTC - 4
 Forum index » Off-Topic Area » Security
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
Post new topic   Reply to topic View previous topic :: View next topic
Page 10 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, ..., 8, 9, 10, 11, 12, 13 Next
Author Message
dejan555


Joined: 30 Nov 2008
Posts: 2807
Location: Montenegro

PostPosted: Thu 02 Oct 2014, 12:19    Post subject:  

mavrothal wrote:
So patch 20 just came out and now bash 3.0.20 is fine. Very Happy


Mirror: bash-3.0.20-i486.pet

_________________
puppy.b0x.me stuff mirrored HERE or HERE
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
Scooby

Joined: 03 Mar 2012
Posts: 601

PostPosted: Thu 02 Oct 2014, 13:05    Post subject:  

Installed sysdig to watch for shell shock attacks

couple of hours in and no attack attempts detected

Maybe it is not so dangerous for the home user as some
sites imply.

or

Maybe ISP blocks scans for vulnerable comp's?


http://postimg.org/image/5t2imu5bt/
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 12629
Location: Stratford, Ontario

PostPosted: Thu 02 Oct 2014, 13:26    Post subject:  

Scooby wrote:
Maybe it is not so dangerous for the home user as somesites imply.

See an alternate discussion of this issue here.
Back to top
View user's profile Send private message 
perdido


Joined: 09 Dec 2013
Posts: 1345
Location: ¿Altair IV , Just north of Eeyore Junction.?

PostPosted: Thu 02 Oct 2014, 15:15    Post subject:  

mavrothal wrote:


So patch 20 just came out and now bash 3.0.20 is fine. Very Happy



Puppy 4.12 updated, frisbee working fine.
Thanks again!

.
Back to top
View user's profile Send private message 
tuxtoo


Joined: 14 Dec 2010
Posts: 138
Location: North Yorkshire, UK

PostPosted: Thu 02 Oct 2014, 15:28    Post subject:  

Updated and mirrored bash-3.0.22-i486.pet on Puppy 4.1.2 and passes -

Code:
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash


Bash also updated to bash-3.0.22-i486.pet on http://412collection.co.uk

Thanks yet again to mavrothal

_________________
Puppy Linux search engine.

http://wellminded.net63.net/ Suitable for older browsers.

Mirror https://puppysearch.neocities.org

Last edited by tuxtoo on Mon 06 Oct 2014, 17:23; edited 3 times in total
Back to top
View user's profile Send private message Visit poster's website 
rg66


Joined: 23 Jul 2012
Posts: 1160
Location: Vancouver, BC Canada / Entebbe, Uganda Africa!?!

PostPosted: Fri 03 Oct 2014, 05:49    Post subject:  

Geoffrey and I came up with an auto patching script. It downloads the source, the patches, and compiles it. It requires yad which most puppies have except slacko, but it's in the repo.

Remove the fake .gz extension and make sure it's executable.

The devx.sfs must be loaded to compile

Edit: Updated to v1.1
bash_patcher-1.1.gz
Description  Remove fake .gz extension
gz

 Download 
Filename  bash_patcher-1.1.gz 
Filesize  1.52 KB 
Downloaded  228 Time(s) 

_________________
X-slacko-5b1 - X-tahr-2.0 - X-precise-2.4
X-series repo

Last edited by rg66 on Sat 04 Oct 2014, 01:26; edited 3 times in total
Back to top
View user's profile Send private message 
Geoffrey


Joined: 30 May 2010
Posts: 2377
Location: Queensland

PostPosted: Fri 03 Oct 2014, 06:50    Post subject:  

Bash updated again pets are here http://www.murga-linux.com/puppy/viewtopic.php?p=801669#801669

Quote:
Bash-Release: 4.3
Patch-ID: bash43-029

Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
Bug-Reference-ID:
Bug-Reference-URL:

Bug-Description:

When bash is parsing a function definition that contains a here-document
delimited by end-of-file (or end-of-string), it leaves the closing delimiter
uninitialized. This can result in an invalid memory access when the parsed
function is later copied.

_________________
Carolina: Recent Repository Additions

Back to top
View user's profile Send private message 
anikin

Joined: 10 May 2012
Posts: 1020

PostPosted: Fri 03 Oct 2014, 07:55    Post subject:  

rg66 wrote:
Geoffrey and I came up with an auto patching script. It downloads the source, the patches, and compiles it. It requires yad which most puppies have except slacko, but it's in the repo.
rg66 and Geoffrey,

Can you please, make a simpler version of the autopatching script - a purely text based compiling script, similar to slackbuilds, iguleder's, or Tman's scripts?

Thank you in advance.
Back to top
View user's profile Send private message 
mavrothal


Joined: 24 Aug 2009
Posts: 3057

PostPosted: Fri 03 Oct 2014, 08:37    Post subject:  

mavrothal wrote:
However, now that the "function" worm of cans is opened I would not be surprised if 21 and 22 are around the corner.


Rolling Eyes

bash-3.0.21.

Passes all tests

_________________
== Here is how to solve your Linux problems fast ==
Back to top
View user's profile Send private message 
rg66


Joined: 23 Jul 2012
Posts: 1160
Location: Vancouver, BC Canada / Entebbe, Uganda Africa!?!

PostPosted: Fri 03 Oct 2014, 11:04    Post subject:  

anikin wrote:
Can you please, make a simpler version of the autopatching script - a purely text based compiling script, similar to slackbuilds, iguleder's, or Tman's scripts?

Thank you in advance.


Sure, double click (or single depending on desktop settings) to run in terminal. The working directory is where the script is run from.

The devx.sfs must be loaded to compile

Edit: Updated to v1.1
bash_patcher.png
 Description   Remove fake .gz extension
 Filesize   38.78 KB
 Viewed   746 Time(s)

bash_patcher.png

bash_patcher_cli-1.1.gz
Description 
gz

 Download 
Filename  bash_patcher_cli-1.1.gz 
Filesize  1.77 KB 
Downloaded  450 Time(s) 

_________________
X-slacko-5b1 - X-tahr-2.0 - X-precise-2.4
X-series repo

Last edited by rg66 on Sat 04 Oct 2014, 01:29; edited 3 times in total
Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Fri 03 Oct 2014, 11:19    Post subject:  

mavrothal wrote:
bash-3.0.21.

Passes all tests


Your 3.0.20 still passes:
Code:
curl --insecure https://shellshocker.net/shellshock_test.sh | bash


There are others? Shocked

Thanks!
Back to top
View user's profile Send private message 
dejan555


Joined: 30 Nov 2008
Posts: 2807
Location: Montenegro

PostPosted: Fri 03 Oct 2014, 12:59    Post subject:  

I won't be able to do any compiling for a few days as I'm oft to the countryside, I'll mirror new pets when I'm back
_________________
puppy.b0x.me stuff mirrored HERE or HERE
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
lost3.1


Joined: 03 Apr 2014
Posts: 38
Location: Boston,MA USA

PostPosted: Fri 03 Oct 2014, 20:05    Post subject: bash
Subject description: bash test
 

GNU bash, version 4.3.29(1)-release (i686-pc-linux-gnu)

Precise Puppy version 5.7.1, released Aug 2013



Passed

_________________
[else Y if-false Y]

Last edited by lost3.1 on Fri 03 Oct 2014, 20:28; edited 1 time in total
Back to top
View user's profile Send private message 
version2013

Joined: 08 Sep 2013
Posts: 442
Location: Florida, USA

PostPosted: Fri 03 Oct 2014, 20:18    Post subject: mirroring  

My list of mirrors for the latest bash packages:
http://version2013.yolasite.com/page1.php#bash
Back to top
View user's profile Send private message Visit poster's website 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Fri 03 Oct 2014, 23:17    Post subject:  

Slacko 5.9.3 ...... latest bash from Slackware.

Code:


# bash --version
GNU bash, version 4.2.50(2)-release (i486-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2194  100  2194    0     0   4223      0 --:--:-- --:--:-- --:--:--  4310
CVE-2014-6271 (original shellshock): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
bash: line 49: 14617 Segmentation fault      bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable
#
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 10 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, ..., 8, 9, 10, 11, 12, 13 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1269s ][ Queries: 13 (0.0104s) ][ GZIP on ]