Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 12 Nov 2019, 19:02
All times are UTC - 4
 Forum index » Off-Topic Area » Security
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
Post new topic   Reply to topic View previous topic :: View next topic
Page 12 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, ..., 10, 11, 12, 13 Next
Author Message
perdido


Joined: 09 Dec 2013
Posts: 1394
Location: ¿Altair IV , Just north of Eeyore Junction.?

PostPosted: Fri 10 Oct 2014, 15:43    Post subject:  

mavrothal wrote:
Bash-3.0.22.
Passes all tests.

Keep in mind that although older versions may not be vulnerable to given exploits, newer versions have better solutions for the given problems (till the next version of course... Rolling Eyes )


Puppy 4.1.2 friendly version that does not break frisbee.

Thanks!

.
Back to top
View user's profile Send private message 
ozsouth

Joined: 01 Jan 2010
Posts: 578
Location: S.E Australia

PostPosted: Fri 10 Oct 2014, 17:18    Post subject: Oscar Talks' slacko pet good  

Oscar Talks' slacko pet passes all 7 tests in slacko 5.7 & 5.7.0

http://smokey01.com/OscarTalks/bash-4.2.53-slacko14.0.pet
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Fri 10 Oct 2014, 18:32    Post subject:  

Latest Bash from Slackware in Slacko64-5.9.1.

Code:
# bash --version
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


Code:
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   4343      0 --:--:-- --:--:-- --:--:--  5350
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
bash: line 50: 12499 Segmentation fault      bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1747

PostPosted: Fri 10 Oct 2014, 18:45    Post subject:  

@James C,

See the explanation I added to my post concerning Fatdog 700 b1 and back porting to patch 630-631. We are now using slaptget packages so this may work for your system also.
Back to top
View user's profile Send private message 
gcmartin

Joined: 14 Oct 2005
Posts: 6730
Location: Earth

PostPosted: Sat 11 Oct 2014, 12:47    Post subject:  

Hello @Prehistoric and @James C. You may have noticed the difference in BASH version each is testing to yield your results.

@Prehistoric, if possible and time permits, could you boot a Lighthouse64 ISO?

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engines or use DogPile
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1747

PostPosted: Sat 11 Oct 2014, 15:48    Post subject:  

@gcmartin,

When I got a fast download of Lighthouse Pup 6.02 b2, I ran a quick experiment of dropping in the binary from /bin/bash in Fatdog 700 b1. The version named in the prompt needs to be updated, and likely a few other files. This appears to work, but obviously it is not carefully tested to see if it breaks anything else. I'll leave that to people familiar with Lighthouse Puppy.
Code:
bash-4.1# bash --version
GNU bash, version 4.2.52(2)-release (x86_64-unknown-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
<root> ~
bash-4.1# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   6191      0 --:--:-- --:--:-- --:--:--  6931
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
<root> ~
bash-4.1#
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Sun 12 Oct 2014, 02:42    Post subject:  

Slacko 5.7 from the Updates Manager.

Code:
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   6177      0 --:--:-- --:--:-- --:--:--  7297
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable



Code:
# bash --version
GNU bash, version 4.2.50(2)-release (i486-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
#
Back to top
View user's profile Send private message 
Bird Dog

Joined: 15 Jun 2014
Posts: 68
Location: Toronto, Ontario, Canada

PostPosted: Sun 19 Oct 2014, 18:50    Post subject: Bash threat help  

I would just like to thank all those who helped resolve this bash threat especially dejan 555, mavrothal, Geoffrey and james C.Its nice there a knowledgeable people who will help in times of need.
I am running precise 5.6.1 and I used dejans bash 4.3.30 dpup 487 and everything is not vulnerable. Unfortunately I haven't figured out how to paste from the terminal.
If precise 5.7.1 was to be recommended to a new member would this bash update and the heartbleed update proviided by shinobar be all that was necessary for a secure operating system?

Thanks Bird Dog Very Happy
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1747

PostPosted: Sun 19 Oct 2014, 20:04    Post subject:  

@Bird Dog,

You probably want to update your browser, and use an extension which disables SSLv3 to avoid the POODLE vulnerability. SSLv3 is going away from all major browsers soon in any case. If the server demands SSL, and not TLS, it probably has other vulnerabilities stemming from old software. There are banks in this category.

This is not exactly a vulnerability in Puppy, but it is a weakness in secure communication which could compromise sensitive data. A man-in-the-middle could interfere with TLS connections, and cause fallback to SSL, if your browser allows this.
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1928
Location: Italy

PostPosted: Mon 20 Oct 2014, 01:18    Post subject:  

prehistoric wrote:
@Bird Dog,

You probably want to update your browser, and use an extension which disables SSLv3 to avoid the POODLE vulnerability.


In firefox I use:

https://addons.mozilla.org/it/firefox/addon/ssl-version-control/?src=api
Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Mon 20 Oct 2014, 12:33    Post subject:  

watchdog wrote:
prehistoric wrote:
@Bird Dog,

You probably want to update your browser, and use an extension which disables SSLv3 to avoid the POODLE vulnerability.


In firefox I use:

https://addons.mozilla.org/it/firefox/addon/ssl-version-control/?src=api


Thanks. I had to find an EN page:
SSL Version Control 0.2 wrote:
As of version 0.2, this add-on should work with all Mozilla products, including Firefox, Firefox for Android, Thunderbird, and Seamonkey.


When I installed, I think I had to "Download anyway" but it seems to be working OK in
Quote:
User agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0 SeaMonkey/2.18
Build identifier: 20130502195722


From the little I've read, this looks like a relatively recently documented security flaw that I had not heard anything about. Thanks for that, too.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 2079
Location: N.E. USA

PostPosted: Mon 20 Oct 2014, 23:10    Post subject: additional measures  

I also use V.C.SSL 0.2. One thing about it that annoys me is that it auto-logins using TLS 1.0. After starting FF, one has to manually select either 1.1 or 1.2 versions. On browser-close, the setting reverts to TLS 1.0.

And of course for the security minded folks about config should be editted basically to allow anything with 256 in the name (especially sha256) and false those without 256 in the name.

Supposedly FF34 will remove ssl3 validations of all types, and eliminate rc4 logins.

_________________
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
Back to top
View user's profile Send private message 
bark_bark_bark

Joined: 05 Jun 2012
Posts: 1935
Location: Wisconsin USA

PostPosted: Tue 21 Oct 2014, 08:40    Post subject:  

In Seamonkey, All I had to do was uncheck the SSl 3 checkbox.
_________________
....
Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Tue 21 Oct 2014, 09:06    Post subject:  

I tried setting SSL Version Control 0.2 to TLS 1.2 in the dropdown. I haven't had any problems with websites, yet, don't know if it is doing anything, and there is no longer a dropdown menu to select the version in this extension's preferences. Confused
Back to top
View user's profile Send private message 
perdido


Joined: 09 Dec 2013
Posts: 1394
Location: ¿Altair IV , Just north of Eeyore Junction.?

PostPosted: Tue 21 Oct 2014, 11:11    Post subject:  

rolf wrote:
I tried setting SSL Version Control 0.2 to TLS 1.2 in the dropdown. I haven't had any problems with websites, yet, don't know if it is doing anything, and there is no longer a dropdown menu to select the version in this extension's preferences. Confused


This site tells you which SSL/TLS you are using.

https://www.howsmyssl.com/

edit: forgot to mention I am using Firefox 16 Nightly and I had turned off SSL 3.0 before I went to this site. The site warned about a vulnerable cipher key, Firefox had not turned off the following vulnerable SSL 3.0 cipher key, security.ssl3.rsa_fips_des_ede3_sha, which was still marked as "true" in about:config , after changing to "false" the only warning received from the connection was the browser is using TLS 1.0


.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 12 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, ..., 10, 11, 12, 13 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0703s ][ Queries: 12 (0.0131s) ][ GZIP on ]