BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
- OscarTalks
- Posts: 2196
- Joined: Mon 06 Feb 2012, 00:58
- Location: London, England
The 4.3 version is probably fine in Dpup Wheezy but in case anyone wants to stick with the 4.2 I have uploaded
bash-4.2.53-wheezy.pet (binary only).
Also bash-4.2.53-slacko14.0. pet (binary only, compiled in Slacko 5.7)
http://smokey01.com/OscarTalks
bash-4.2.53-wheezy.pet (binary only).
Also bash-4.2.53-slacko14.0. pet (binary only, compiled in Slacko 5.7)
http://smokey01.com/OscarTalks
Oscar in England
Partial Shellshock fix for Lighthouse64.....
Newest Slackware bash for Slackware 14.0 x86-64 from
http://www.slackware.com/security/viewe ... ity.559646
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/s ... ck14.0.txz
I assume there will be further updates.
Newest Slackware bash for Slackware 14.0 x86-64 from
http://www.slackware.com/security/viewe ... ity.559646
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/s ... ck14.0.txz
Code: Select all
bash-4.2# bash --version
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
<root> ~
bash-4.2#
Code: Select all
bash-4.2# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2533 100 2533 0 0 5692 0 --:--:-- --:--:-- --:--:-- 6665
CVE-2014-6271 (original shellshock): not vulnerable
bash: line 16: 31327 Segmentation fault bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
<root> ~
I assume there will be further updates.
slacko5.7 and 5.5XL
patch 4.3.30-1 passes all tests "not vunerable" using slacko 5.7 derivitive with 3.4.82 (non-pae) kernal. I don't use frisbee for wifi cnxn... can't report on that.
edit:
Also patched as above on slacko 5.5XL kernal 3.2.33-4g.
edit:
Also patched as above on slacko 5.5XL kernal 3.2.33-4g.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
There seems to be confusion concerning version and build numbers. Here's what I'm running successful tests with on Fatdog 630-631 and Fatdog 700 b1, all 64-bit versions. Here is the corresponding test result.
Added: this update is not from a .pet file. Fatdog 700 has switched to gslapt/slaptget package manager. Because the other files have not changed at all I was able to upgrade my older installation by simply copying /bin/bash from 700 b1 to /bin of 630-631. This was listed as release 5 of the x86_64 bit version of bash 4.2 in gslapt/slaptget. or bash-4.2-x86_64-5.txz .
With the exception of the version number these instructions from JamesBond should still apply.
This should do until we stop getting new changes and copying things from a beta release.
Code: Select all
# bash --version
GNU bash, version 4.2.52(2)-release (x86_64-unknown-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
#
Code: Select all
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2533 100 2533 0 0 6406 0 --:--:-- --:--:-- --:--:-- 7538
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
#
With the exception of the version number these instructions from JamesBond should still apply.
Code: Select all
1. Get bash-4.2-x86_64-3.txz from 700 repo.
2. mkdir /tmp/xxx
3. cd /tmp/xxx
4. tar -xf /path/to/downloaded/bash-4.2-x86_64-3.txz
5. try to run ./bin/bash --version (version should be 4.2.49)
6. if this is good then cp ./bin/bash /bin
Last edited by prehistoric on Fri 10 Oct 2014, 22:51, edited 2 times in total.
- perdido
- Posts: 1528
- Joined: Mon 09 Dec 2013, 16:29
- Location: ¿Altair IV , Just north of Eeyore Junction.?
Puppy 4.1.2 friendly version that does not break frisbee.mavrothal wrote:Bash-3.0.22.
Passes all tests.
Keep in mind that although older versions may not be vulnerable to given exploits, newer versions have better solutions for the given problems (till the next version of course... )
Thanks!
.
Oscar Talks' slacko pet good
Oscar Talks' slacko pet passes all 7 tests in slacko 5.7 & 5.7.0
http://smokey01.com/OscarTalks/bash-4.2 ... ko14.0.pet
http://smokey01.com/OscarTalks/bash-4.2 ... ko14.0.pet
Latest Bash from Slackware in Slacko64-5.9.1.
Code: Select all
# bash --version
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Code: Select all
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2627 100 2627 0 0 4343 0 --:--:-- --:--:-- --:--:-- 5350
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
bash: line 50: 12499 Segmentation fault bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
@gcmartin,
When I got a fast download of Lighthouse Pup 6.02 b2, I ran a quick experiment of dropping in the binary from /bin/bash in Fatdog 700 b1. The version named in the prompt needs to be updated, and likely a few other files. This appears to work, but obviously it is not carefully tested to see if it breaks anything else. I'll leave that to people familiar with Lighthouse Puppy.
When I got a fast download of Lighthouse Pup 6.02 b2, I ran a quick experiment of dropping in the binary from /bin/bash in Fatdog 700 b1. The version named in the prompt needs to be updated, and likely a few other files. This appears to work, but obviously it is not carefully tested to see if it breaks anything else. I'll leave that to people familiar with Lighthouse Puppy.
Code: Select all
bash-4.1# bash --version
GNU bash, version 4.2.52(2)-release (x86_64-unknown-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
<root> ~
bash-4.1# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2627 100 2627 0 0 6191 0 --:--:-- --:--:-- --:--:-- 6931
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
<root> ~
bash-4.1#
Slacko 5.7 from the Updates Manager.
Code: Select all
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2627 100 2627 0 0 6177 0 --:--:-- --:--:-- --:--:-- 7297
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
Code: Select all
# bash --version
GNU bash, version 4.2.50(2)-release (i486-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
#
Bash threat help
I would just like to thank all those who helped resolve this bash threat especially dejan 555, mavrothal, Geoffrey and james C.Its nice there a knowledgeable people who will help in times of need.
I am running precise 5.6.1 and I used dejans bash 4.3.30 dpup 487 and everything is not vulnerable. Unfortunately I haven't figured out how to paste from the terminal.
If precise 5.7.1 was to be recommended to a new member would this bash update and the heartbleed update proviided by shinobar be all that was necessary for a secure operating system?
Thanks Bird Dog
I am running precise 5.6.1 and I used dejans bash 4.3.30 dpup 487 and everything is not vulnerable. Unfortunately I haven't figured out how to paste from the terminal.
If precise 5.7.1 was to be recommended to a new member would this bash update and the heartbleed update proviided by shinobar be all that was necessary for a secure operating system?
Thanks Bird Dog
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
@Bird Dog,
You probably want to update your browser, and use an extension which disables SSLv3 to avoid the POODLE vulnerability. SSLv3 is going away from all major browsers soon in any case. If the server demands SSL, and not TLS, it probably has other vulnerabilities stemming from old software. There are banks in this category.
This is not exactly a vulnerability in Puppy, but it is a weakness in secure communication which could compromise sensitive data. A man-in-the-middle could interfere with TLS connections, and cause fallback to SSL, if your browser allows this.
You probably want to update your browser, and use an extension which disables SSLv3 to avoid the POODLE vulnerability. SSLv3 is going away from all major browsers soon in any case. If the server demands SSL, and not TLS, it probably has other vulnerabilities stemming from old software. There are banks in this category.
This is not exactly a vulnerability in Puppy, but it is a weakness in secure communication which could compromise sensitive data. A man-in-the-middle could interfere with TLS connections, and cause fallback to SSL, if your browser allows this.
In firefox I use:prehistoric wrote:@Bird Dog,
You probably want to update your browser, and use an extension which disables SSLv3 to avoid the POODLE vulnerability.
https://addons.mozilla.org/it/firefox/a ... l/?src=api
Thanks. I had to find an EN page:watchdog wrote:In firefox I use:prehistoric wrote:@Bird Dog,
You probably want to update your browser, and use an extension which disables SSLv3 to avoid the POODLE vulnerability.
https://addons.mozilla.org/it/firefox/a ... l/?src=api
When I installed, I think I had to "Download anyway" but it seems to be working OK inSSL Version Control 0.2 wrote:As of version 0.2, this add-on should work with all Mozilla products, including Firefox, Firefox for Android, Thunderbird, and Seamonkey.
From the little I've read, this looks like a relatively recently documented security flaw that I had not heard anything about. Thanks for that, too.User agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0 SeaMonkey/2.18
Build identifier: 20130502195722
additional measures
I also use V.C.SSL 0.2. One thing about it that annoys me is that it auto-logins using TLS 1.0. After starting FF, one has to manually select either 1.1 or 1.2 versions. On browser-close, the setting reverts to TLS 1.0.
And of course for the security minded folks about config should be editted basically to allow anything with 256 in the name (especially sha256) and false those without 256 in the name.
Supposedly FF34 will remove ssl3 validations of all types, and eliminate rc4 logins.
And of course for the security minded folks about config should be editted basically to allow anything with 256 in the name (especially sha256) and false those without 256 in the name.
Supposedly FF34 will remove ssl3 validations of all types, and eliminate rc4 logins.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
-
- Posts: 1885
- Joined: Tue 05 Jun 2012, 12:17
- Location: Wisconsin USA
- perdido
- Posts: 1528
- Joined: Mon 09 Dec 2013, 16:29
- Location: ¿Altair IV , Just north of Eeyore Junction.?
This site tells you which SSL/TLS you are using.rolf wrote:I tried setting SSL Version Control 0.2 to TLS 1.2 in the dropdown. I haven't had any problems with websites, yet, don't know if it is doing anything, and there is no longer a dropdown menu to select the version in this extension's preferences.
https://www.howsmyssl.com/
edit: forgot to mention I am using Firefox 16 Nightly and I had turned off SSL 3.0 before I went to this site. The site warned about a vulnerable cipher key, Firefox had not turned off the following vulnerable SSL 3.0 cipher key, security.ssl3.rsa_fips_des_ede3_sha, which was still marked as "true" in about:config , after changing to "false" the only warning received from the connection was the browser is using TLS 1.0
.