Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 20 Jan 2020, 05:28
All times are UTC - 4
 Forum index » Off-Topic Area » Security
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
Post new topic   Reply to topic View previous topic :: View next topic
Page 8 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, ..., 6, 7, 8, 9, 10, 11, 12, 13 Next
Author Message
Fossil


Joined: 13 Dec 2005
Posts: 1156
Location: Gloucestershire, UK.

PostPosted: Tue 30 Sep 2014, 06:57    Post subject:  

This is truly ironic! Is there somewhere else - without all the 'hidden-behind-the-scene' other websites - where we can download the bash-3.0.19.pet? Ironic, why? Because I have to turn off NoScript to accept the download - creating by so doing a potential vulnerability to the computer. Data File Host is unaccessible unless several other 'satellite' websites are also permitted access.
Data File Host - NoScript - crop, 30-09-2014.jpg
 Description   
 Filesize   33.59 KB
 Viewed   1016 Time(s)

Data File Host - NoScript - crop, 30-09-2014.jpg

Back to top
View user's profile Send private message 
dejan555


Joined: 30 Nov 2008
Posts: 2817
Location: Montenegro

PostPosted: Tue 30 Sep 2014, 07:19    Post subject:  

Mirrored: bash-3.0.19-i486-1.pet
Also mirrored SFR's bash-4.1.13-2.pet

Updated links to latest versions here:
http://murga-linux.com/puppy/viewtopic.php?p=801075#801075

_________________
puppy.b0x.me stuff mirrored HERE or HERE

Last edited by dejan555 on Tue 30 Sep 2014, 09:44; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
darkcity


Joined: 23 May 2010
Posts: 2549
Location: near here

PostPosted: Tue 30 Sep 2014, 08:27    Post subject:  

Good afternoon,

Is there a version for Slacko 5.3.1 ? Looking in Slackware 13.37 repository only show Bash 4.1. I can't upgrade to new Slacko because sound no longer works since 5.5 removed parts of ALSA.

Cool

_________________
helping Wiki for help
Back to top
View user's profile Send private message Visit poster's website 
dejan555


Joined: 30 Nov 2008
Posts: 2817
Location: Montenegro

PostPosted: Tue 30 Sep 2014, 09:48    Post subject:  

Both mine or Geoffrey's pet should work, see link in my previous post above, they're not compiled in slacko specifically but reported to work, I think someone in this thread linked to slackware package though.
_________________
puppy.b0x.me stuff mirrored HERE or HERE
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Tue 30 Sep 2014, 10:06    Post subject: What is #shellshock?  

What is #shellshock?

https://shellshocker.net/


Quote:
Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277) is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Sun Sep 28 2014: 1:11AM EST (See patch history), you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.

You can use this website to test if your system is vulnerable, and also learn how to patch the vulnerability so you are no longer at risk for attack.
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1950
Location: Italy

PostPosted: Tue 30 Sep 2014, 12:25    Post subject:  

I successfully tested mavrothal_patched_bash in lucid, slacko 13.37-based and slacko 14.0-based puppies. Someone already reported it working in puppy 4 series. It doesn't break frisbee. Every patched bash, at this round, worked. I am afraid for the third round, the fourth... It seems that also linux needs frequent updates. I remember gnutls patch, heartbleed and now bash. Crying or Very sad
Back to top
View user's profile Send private message 
Fossil


Joined: 13 Dec 2005
Posts: 1156
Location: Gloucestershire, UK.

PostPosted: Tue 30 Sep 2014, 14:42    Post subject:  

@dejan555. Thanks for mirroring the bash.pet's.
Back to top
View user's profile Send private message 
ozsouth

Joined: 01 Jan 2010
Posts: 636
Location: S.E Australia

PostPosted: Tue 30 Sep 2014, 19:49    Post subject: SFR's latest fix is good  

SFR's latest Slacko 32bit fix is here:

http://www.datafilehost.com/d/ff468fcc
Back to top
View user's profile Send private message 
gcmartin

Joined: 14 Oct 2005
Posts: 6730
Location: Earth

PostPosted: Tue 30 Sep 2014, 23:09    Post subject:  

Original post has new information that some may find an easy understanding of this exposure.

Hope this provides additional clarity

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engines or use DogPile
Back to top
View user's profile Send private message 
Geoffrey


Joined: 30 May 2010
Posts: 2378
Location: Queensland

PostPosted: Wed 01 Oct 2014, 09:35    Post subject:  

There are still Vulnerabilities with bash, my build has 2, can everyone that built packages run this in a terminal
Code:
curl https://shellshocker.net/shellshock_test.sh | bash


rg66's version built in x-slacko works ok in carolina
bash-3.0.19-i486.png
 Description   Built in wary/racy by mavrothal
 Filesize   142.15 KB
 Viewed   492 Time(s)

bash-3.0.19-i486.png

bash-4.3.27-1-i486-dpup487.png
 Description   Built in dpup487 by dejan555
 Filesize   129.87 KB
 Viewed   497 Time(s)

bash-4.3.27-1-i486-dpup487.png

rg66-bash-4.3.27.png
 Description   Built in X-Slacko by rg66, works in Carolina
 Filesize   106.63 KB
 Viewed   484 Time(s)

rg66-bash-4.3.27.png

bash-4.3.27.png
 Description   Built in Carolina by me
 Filesize   141.18 KB
 Viewed   484 Time(s)

bash-4.3.27.png


_________________
Carolina: Recent Repository Additions

Back to top
View user's profile Send private message 
Terryphi


Joined: 02 Jul 2008
Posts: 768
Location: West Wales, Britain.

PostPosted: Wed 01 Oct 2014, 10:46    Post subject:  

Geoffrey wrote:
There are still Vulnerabilities with bash, my build has 2, can everyone that built packages run this in a terminal
Code:
curl https://shellshocker.net/shellshock_test.sh | bash


Using the shellshocker.net test there are still 2 vulnerabilities in mavrothal's 3.0.19-i486.1.pet for Racy: CVE-2014-7186 and CVE-2014-7187.
Back to top
View user's profile Send private message 
mavrothal


Joined: 24 Aug 2009
Posts: 3098

PostPosted: Wed 01 Oct 2014, 11:06    Post subject:  

Geoffrey wrote:
There are still Vulnerabilities with bash, my build has 2, can everyone that built packages run this in a terminal
Code:
curl https://shellshocker.net/shellshock_test.sh | bash


rg66's version built in x-slacko works ok in carolina


Do we know anything more about rg66's version? ie source and configure options?
Mine is BK's source and GNU patches configured with
Code:
--prefix=/usr --bindir=/bin --build=i486-pc-linux-gnu

additional options like "--without-bash-malloc --with-installed-readline ac_cv_func_working_mktime=yes" (from LFS) do not make any differences.

Anybody knows if these vulnerabilities are patched in 3.0?

_________________
== Here is how to solve your Linux problems fast ==
Back to top
View user's profile Send private message 
sheldonisaac

Joined: 21 Jun 2009
Posts: 882
Location: Philadelphia, PA

PostPosted: Wed 01 Oct 2014, 12:00    Post subject: the shellshock_test.sh  

Geoffrey wrote:
There are still Vulnerabilities with bash, my build has 2, can everyone that built packages run this in a terminal
Code:
curl https://shellshocker.net/shellshock_test.sh | bash

Please excuse: I did not build packages.
Quote:
> bash --version
GNU bash, version 4.3.27(1)-release (i486-pc-linux-gnu)


Quote:
curl -k https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2008 100 2008 0 0 7675 0 --:--:-- --:--:-- --:--:-- 23348
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
bash: line 34: 10724 Segmentation fault bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable

_________________
Dell E6410: BusterPup, Ermine, Xenial, etc
Intel DQ35JOE, Dell Vostro 430
Dell Mini 9, Acer Aspire One, EeePC 1018P

Last edited by sheldonisaac on Wed 01 Oct 2014, 13:34; edited 2 times in total
Back to top
View user's profile Send private message 
darkcity


Joined: 23 May 2010
Posts: 2549
Location: near here

PostPosted: Wed 01 Oct 2014, 13:15    Post subject:  

Thanks for all the replies, I went with mavrothal's and it passes the test

I was wary because I tried a Puppy_Russia Bash pet and it tanked the cistern
https://archive.org/details/Puppy_Linux_Puppy_Russia

Cool
Back to top
View user's profile Send private message Visit poster's website 
gjuhasz


Joined: 29 Sep 2008
Posts: 404

PostPosted: Wed 01 Oct 2014, 14:03    Post subject:  

Hi,

This single bash file seems to be OK for upup 3.8.3.1 (and for puli)

Download link:

http://www.smokey01.com/gjuhasz/Puli_bark5_final_Aug2014/patch/bin/bash

See the test result attached.

More details at http://murga-linux.com/puppy/viewtopic.php?t=88691


Have fun!

gjuhasz
shellshock_test.png
 Description   
 Filesize   34.67 KB
 Viewed   1038 Time(s)

shellshock_test.png

Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 8 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, ..., 6, 7, 8, 9, 10, 11, 12, 13 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0673s ][ Queries: 12 (0.0064s) ][ GZIP on ]