From: Dominic R. <do...@ti...> - 2014-09-25 10:18:07
|
Would be grateful if someone could fix DL's bash for the shell shock bug asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). Andrzej, Heiko, anyone? Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, Linux 3.2.56) |
From: Heiko Z. <he...@zu...> - 2014-09-29 20:03:10
|
I just came back from vacation. I assume nobody worked on the patch yet? Heiko Quoting Dominic Raferd <do...@ti...>: > Would be grateful if someone could fix DL's bash for the shell shock bug > asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). > Andrzej, Heiko, anyone? > > Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, > Linux 3.2.56) > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
From: Dominic R. <do...@ti...> - 2014-09-29 20:01:07
|
Hope you had a good break Heiko! For DL, I haven't seen or heard of a patch, and ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least in the meantime bash source has been better patched by those good redhat people http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/... Dominic On 29/09/2014 22:36, Heiko Zuerker wrote: > I just came back from vacation. I assume nobody worked on the patch yet? > > Heiko > > Quoting Dominic Raferd <do...@ti...>: > >> Would be grateful if someone could fix DL's bash for the shell shock bug >> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >> Andrzej, Heiko, anyone? >> >> Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, >> Linux 3.2.56) >> >> >> ------------------------------------------------------------------------------ >> >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >> >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > |
From: Heiko Z. <he...@zu...> - 2014-09-30 01:48:06
|
The latest patches are in CVS, we'll see how the compile tonight goes. Regards Heiko Zuerker > On Sep 29, 2014, at 3:00 PM, Dominic Raferd <do...@ti...> wrote: > > Hope you had a good break Heiko! > > For DL, I haven't seen or heard of a patch, and > ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least > in the meantime bash source has been better patched by those good redhat > people > http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/... > > Dominic > >> On 29/09/2014 22:36, Heiko Zuerker wrote: >> I just came back from vacation. I assume nobody worked on the patch yet? >> >> Heiko >> >> Quoting Dominic Raferd <do...@ti...>: >> >>> Would be grateful if someone could fix DL's bash for the shell shock bug >>> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>> Andrzej, Heiko, anyone? >>> >>> Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, >>> Linux 3.2.56) >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>> >>> _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> >> > > > ------------------------------------------------------------------------------ > Slashdot TV. Videos for Nerds. Stuff that Matters. > http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
From: Heiko Z. <he...@zu...> - 2014-09-30 13:14:12
|
The compile finished successfully last night and I'm uploading into the testing folder right now. It'll take a couple hours for it to complete. Please test and let me know if you confirm that the bug is resolved. It seems that they keep finding issues in bash right now, so we'll gotta keep an eye on that for a bit. Heiko Quoting Heiko Zuerker <he...@zu...>: > The latest patches are in CVS, we'll see how the compile tonight goes. > > Regards > Heiko Zuerker > >> On Sep 29, 2014, at 3:00 PM, Dominic Raferd <do...@ti...> wrote: >> >> Hope you had a good break Heiko! >> >> For DL, I haven't seen or heard of a patch, and >> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least >> in the meantime bash source has been better patched by those good redhat >> people >> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/... >> >> Dominic >> >>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>> I just came back from vacation. I assume nobody worked on the patch yet? >>> >>> Heiko >>> >>> Quoting Dominic Raferd <do...@ti...>: >>> >>>> Would be grateful if someone could fix DL's bash for the shell shock bug >>>> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>> Andrzej, Heiko, anyone? >>>> >>>> Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, >>>> Linux 3.2.56) >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>>> >>>> _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Slashdot TV. Videos for Nerds. Stuff that Matters. >> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
From: Dominic R. <do...@ti...> - 2014-09-30 16:35:20
|
Seems good. Many thanks. root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test" test root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo date cat: /tmp/echo: No such file or directory On 30/09/2014 16:14, Heiko Zuerker wrote: > The compile finished successfully last night and I'm uploading into > the testing folder right now. > It'll take a couple hours for it to complete. > > Please test and let me know if you confirm that the bug is resolved. > It seems that they keep finding issues in bash right now, so we'll > gotta keep an eye on that for a bit. > > Heiko > > Quoting Heiko Zuerker <he...@zu...>: > >> The latest patches are in CVS, we'll see how the compile tonight goes. >> >> Regards >> Heiko Zuerker >> >>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd <do...@ti...> wrote: >>> >>> Hope you had a good break Heiko! >>> >>> For DL, I haven't seen or heard of a patch, and >>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least >>> in the meantime bash source has been better patched by those good redhat >>> people >>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/... >>> >>> Dominic >>> >>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>> I just came back from vacation. I assume nobody worked on the patch yet? >>>> >>>> Heiko >>>> >>>> Quoting Dominic Raferd <do...@ti...>: >>>> >>>>> Would be grateful if someone could fix DL's bash for the shell shock bug >>>>> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>> Andrzej, Heiko, anyone? >>>>> >>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, >>>>> Linux 3.2.56) >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>>>> >>>>> _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> >>>> >>> >>> ------------------------------------------------------------------------------ >>> Slashdot TV. Videos for Nerds. Stuff that Matters. >>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > |
From: Dominic R. <do...@ti...> - 2014-10-02 05:35:07
|
> It seems that they keep finding issues in bash right now, so we'll > gotta keep an eye on that for a bit. You were not wrong! DL testing is still vulnerable to CVE-2014-7186 and CVE-2014-7187 - tests at http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) patches for bash 4.2 to fix this are at http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. Off topic sorry, but since we are looking to a new release of DL: 1. I have had a problem for the last year or two that I cannot get any of my USB drives to boot DL, instead I have to boot via CD/DVD (which I admit has some security advantages). I have assumed this is something to do with my motherboard/BIOS settings (though I have tweaked these without success), but I wondered if anyone else has had the same difficulties? I have tried with both Syslinux and Grub boot loaders. 2. If I boot from CD/DVD the CD/DVD drive remains physically locked even if I have chosen to load and run the system from RAM - i.e. the eject button on the drive does not work. Is this by design? It certainly makes upgrading more of a faff, because I can only change the disk after the machine reboots, and then the machine usually has to be physically rebooted again to get the new disk to boot. Dominic On 30/09/2014 19:35, Dominic Raferd wrote: > Seems good. Many thanks. > > root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; > echo vulnerable' bash -c "echo test" > test > root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo > date"; cat /tmp/echo > date > cat: /tmp/echo: No such file or directory > > On 30/09/2014 16:14, Heiko Zuerker wrote: >> The compile finished successfully last night and I'm uploading into >> the testing folder right now. >> It'll take a couple hours for it to complete. >> >> Please test and let me know if you confirm that the bug is resolved. >> It seems that they keep finding issues in bash right now, so we'll >> gotta keep an eye on that for a bit. >> >> Heiko >> >> Quoting Heiko Zuerker <he...@zu...>: >> >>> The latest patches are in CVS, we'll see how the compile tonight goes. >>> >>> Regards >>> Heiko Zuerker >>> >>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd <do...@ti...> wrote: >>>> >>>> Hope you had a good break Heiko! >>>> >>>> For DL, I haven't seen or heard of a patch, and >>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least >>>> in the meantime bash source has been better patched by those good redhat >>>> people >>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/... >>>> >>>> Dominic >>>> >>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>> I just came back from vacation. I assume nobody worked on the patch yet? >>>>> >>>>> Heiko >>>>> >>>>> Quoting Dominic Raferd <do...@ti...>: >>>>> >>>>>> Would be grateful if someone could fix DL's bash for the shell shock bug >>>>>> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>> Andrzej, Heiko, anyone? >>>>>> >>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, >>>>>> Linux 3.2.56) >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>>>>> >>>>>> _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> >>>> ------------------------------------------------------------------------------ >>>> Slashdot TV. Videos for Nerds. Stuff that Matters. >>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> ------------------------------------------------------------------------------ >>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
From: Heiko Z. <he...@zu...> - 2014-10-02 20:43:47
|
The latest patch is in CVS now. I'm booting my firewall from a USB stick and have no issues with it. I think there's one piece that prevents us from unmounting the disk completely. If I remember correctly, it's part of the initrd script if you want to dig around. Heiko Quoting Dominic Raferd <do...@ti...>: >> It seems that they keep finding issues in bash right now, so we'll >> gotta keep an eye on that for a bit. > > You were not wrong! DL testing is still vulnerable to CVE-2014-7186 and > CVE-2014-7187 - tests at > http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) > patches for bash 4.2 to fix this are at > http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. > > Off topic sorry, but since we are looking to a new release of DL: > > 1. I have had a problem for the last year or two that I cannot get any > of my USB drives to boot DL, instead I have to boot via CD/DVD (which I > admit has some security advantages). I have assumed this is something to > do with my motherboard/BIOS settings (though I have tweaked these > without success), but I wondered if anyone else has had the same > difficulties? I have tried with both Syslinux and Grub boot loaders. > > 2. If I boot from CD/DVD the CD/DVD drive remains physically locked even > if I have chosen to load and run the system from RAM - i.e. the eject > button on the drive does not work. Is this by design? It certainly makes > upgrading more of a faff, because I can only change the disk after the > machine reboots, and then the machine usually has to be physically > rebooted again to get the new disk to boot. > > Dominic > > On 30/09/2014 19:35, Dominic Raferd wrote: >> Seems good. Many thanks. >> >> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; >> echo vulnerable' bash -c "echo test" >> test >> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo >> date"; cat /tmp/echo >> date >> cat: /tmp/echo: No such file or directory >> >> On 30/09/2014 16:14, Heiko Zuerker wrote: >>> The compile finished successfully last night and I'm uploading into >>> the testing folder right now. >>> It'll take a couple hours for it to complete. >>> >>> Please test and let me know if you confirm that the bug is resolved. >>> It seems that they keep finding issues in bash right now, so we'll >>> gotta keep an eye on that for a bit. >>> >>> Heiko >>> >>> Quoting Heiko Zuerker <he...@zu...>: >>> >>>> The latest patches are in CVS, we'll see how the compile tonight goes. >>>> >>>> Regards >>>> Heiko Zuerker >>>> >>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>> <do...@ti...> wrote: >>>>> >>>>> Hope you had a good break Heiko! >>>>> >>>>> For DL, I haven't seen or heard of a patch, and >>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least >>>>> in the meantime bash source has been better patched by those good redhat >>>>> people >>>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/... >>>>> >>>>> Dominic >>>>> >>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>> I just came back from vacation. I assume nobody worked on the patch yet? >>>>>> >>>>>> Heiko >>>>>> >>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>> >>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>> shock bug >>>>>>> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>> Andrzej, Heiko, anyone? >>>>>>> >>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>> 1.6.5-2014-04-09, >>>>>>> Linux 3.2.56) >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> >>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>>> DSS Reports >>>>>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>>>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> ------------------------------------------------------------------------------ >>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >> >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
From: hz <he...@zu...> - 2014-10-03 13:01:21
|
I'm uploading the latest build into the testing folder, should be done in a couple of hours. Let me know how it looks. Any suggestions on how long we should wait to see if another bash patch comes out, before I officially release 1.6.6? Heiko -----Original Message----- From: Heiko Zuerker [mailto:he...@zu...] Sent: Thursday, October 02, 2014 3:44 PM To: dev...@li... Subject: Re: [Devil-Linux-discuss] Shell shock bash fix The latest patch is in CVS now. I'm booting my firewall from a USB stick and have no issues with it. I think there's one piece that prevents us from unmounting the disk completely. If I remember correctly, it's part of the initrd script if you want to dig around. Heiko Quoting Dominic Raferd <do...@ti...>: >> It seems that they keep finding issues in bash right now, so we'll >> gotta keep an eye on that for a bit. > > You were not wrong! DL testing is still vulnerable to CVE-2014-7186 > and > CVE-2014-7187 - tests at > http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) > patches for bash 4.2 to fix this are at > http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. > > Off topic sorry, but since we are looking to a new release of DL: > > 1. I have had a problem for the last year or two that I cannot get any > of my USB drives to boot DL, instead I have to boot via CD/DVD (which > I admit has some security advantages). I have assumed this is > something to do with my motherboard/BIOS settings (though I have > tweaked these without success), but I wondered if anyone else has had > the same difficulties? I have tried with both Syslinux and Grub boot loaders. > > 2. If I boot from CD/DVD the CD/DVD drive remains physically locked > even if I have chosen to load and run the system from RAM - i.e. the > eject button on the drive does not work. Is this by design? It > certainly makes upgrading more of a faff, because I can only change > the disk after the machine reboots, and then the machine usually has > to be physically rebooted again to get the new disk to boot. > > Dominic > > On 30/09/2014 19:35, Dominic Raferd wrote: >> Seems good. Many thanks. >> >> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >> :;}; echo vulnerable' bash -c "echo test" >> test >> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >> "echo date"; cat /tmp/echo date >> cat: /tmp/echo: No such file or directory >> >> On 30/09/2014 16:14, Heiko Zuerker wrote: >>> The compile finished successfully last night and I'm uploading into >>> the testing folder right now. >>> It'll take a couple hours for it to complete. >>> >>> Please test and let me know if you confirm that the bug is resolved. >>> It seems that they keep finding issues in bash right now, so we'll >>> gotta keep an eye on that for a bit. >>> >>> Heiko >>> >>> Quoting Heiko Zuerker <he...@zu...>: >>> >>>> The latest patches are in CVS, we'll see how the compile tonight goes. >>>> >>>> Regards >>>> Heiko Zuerker >>>> >>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>> <do...@ti...> wrote: >>>>> >>>>> Hope you had a good break Heiko! >>>>> >>>>> For DL, I haven't seen or heard of a patch, and >>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>> least in the meantime bash source has been better patched by those >>>>> good redhat people >>>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115 /... >>>>> >>>>> Dominic >>>>> >>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>> I just came back from vacation. I assume nobody worked on the patch yet? >>>>>> >>>>>> Heiko >>>>>> >>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>> >>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>> shock bug asap >>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>> Andrzej, Heiko, anyone? >>>>>>> >>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>> >>>>>>> >>>>>>> ---------------------------------------------------------------- >>>>>>> -------------- >>>>>>> >>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>> EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>> /ostg.clktrk >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> >>>>> ------------------------------------------------------------------ >>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>> stg.clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> ------------------------------------------------------------------- >>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>> with EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>> tg.clktrk _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >> >> --------------------------------------------------------------------- >> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >> EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >> .clktrk _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > ---------------------------------------------------------------------- > -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog > Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI > DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download > White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with > EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. > clktrk _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker ---------------------------------------------------------------------------- -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Devil-linux-discuss mailing list Dev...@li... https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
From: hz <he...@zu...> - 2014-10-04 13:04:07
|
Another patch was released. It's in CVS already. Best Regards Heiko Zuerker -----Original Message----- From: hz [mailto:he...@zu...] Sent: Friday, October 03, 2014 8:01 AM To: dev...@li... Subject: Re: [Devil-Linux-discuss] Shell shock bash fix I'm uploading the latest build into the testing folder, should be done in a couple of hours. Let me know how it looks. Any suggestions on how long we should wait to see if another bash patch comes out, before I officially release 1.6.6? Heiko -----Original Message----- From: Heiko Zuerker [mailto:he...@zu...] Sent: Thursday, October 02, 2014 3:44 PM To: dev...@li... Subject: Re: [Devil-Linux-discuss] Shell shock bash fix The latest patch is in CVS now. I'm booting my firewall from a USB stick and have no issues with it. I think there's one piece that prevents us from unmounting the disk completely. If I remember correctly, it's part of the initrd script if you want to dig around. Heiko Quoting Dominic Raferd <do...@ti...>: >> It seems that they keep finding issues in bash right now, so we'll >> gotta keep an eye on that for a bit. > > You were not wrong! DL testing is still vulnerable to CVE-2014-7186 > and > CVE-2014-7187 - tests at > http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) > patches for bash 4.2 to fix this are at > http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. > > Off topic sorry, but since we are looking to a new release of DL: > > 1. I have had a problem for the last year or two that I cannot get any > of my USB drives to boot DL, instead I have to boot via CD/DVD (which > I admit has some security advantages). I have assumed this is > something to do with my motherboard/BIOS settings (though I have > tweaked these without success), but I wondered if anyone else has had > the same difficulties? I have tried with both Syslinux and Grub boot loaders. > > 2. If I boot from CD/DVD the CD/DVD drive remains physically locked > even if I have chosen to load and run the system from RAM - i.e. the > eject button on the drive does not work. Is this by design? It > certainly makes upgrading more of a faff, because I can only change > the disk after the machine reboots, and then the machine usually has > to be physically rebooted again to get the new disk to boot. > > Dominic > > On 30/09/2014 19:35, Dominic Raferd wrote: >> Seems good. Many thanks. >> >> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >> :;}; echo vulnerable' bash -c "echo test" >> test >> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >> "echo date"; cat /tmp/echo date >> cat: /tmp/echo: No such file or directory >> >> On 30/09/2014 16:14, Heiko Zuerker wrote: >>> The compile finished successfully last night and I'm uploading into >>> the testing folder right now. >>> It'll take a couple hours for it to complete. >>> >>> Please test and let me know if you confirm that the bug is resolved. >>> It seems that they keep finding issues in bash right now, so we'll >>> gotta keep an eye on that for a bit. >>> >>> Heiko >>> >>> Quoting Heiko Zuerker <he...@zu...>: >>> >>>> The latest patches are in CVS, we'll see how the compile tonight goes. >>>> >>>> Regards >>>> Heiko Zuerker >>>> >>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>> <do...@ti...> wrote: >>>>> >>>>> Hope you had a good break Heiko! >>>>> >>>>> For DL, I haven't seen or heard of a patch, and >>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>> least in the meantime bash source has been better patched by those >>>>> good redhat people >>>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115 /... >>>>> >>>>> Dominic >>>>> >>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>> I just came back from vacation. I assume nobody worked on the >>>>>> patch yet? >>>>>> >>>>>> Heiko >>>>>> >>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>> >>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>> shock bug asap >>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>> Andrzej, Heiko, anyone? >>>>>>> >>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>> >>>>>>> >>>>>>> ---------------------------------------------------------------- >>>>>>> -------------- >>>>>>> >>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>> EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>> /ostg.clktrk >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> >>>>> ------------------------------------------------------------------ >>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>> stg.clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> ------------------------------------------------------------------- >>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>> with EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>> tg.clktrk _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >> >> --------------------------------------------------------------------- >> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >> EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >> .clktrk _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > ---------------------------------------------------------------------- > -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog > Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI > DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download > White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with > EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. > clktrk _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker ---------------------------------------------------------------------------- -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Devil-linux-discuss mailing list Dev...@li... https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss ---------------------------------------------------------------------------- -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Devil-linux-discuss mailing list Dev...@li... https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
From: Dominic R. <do...@ti...> - 2014-10-05 06:01:46
|
1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 and CVE-2014-7187, sorry. Dominic On 04/10/2014 14:03, hz wrote: > Another patch was released. It's in CVS already. > > Best Regards > Heiko Zuerker > > -----Original Message----- > From: hz [mailto:he...@zu...] > Sent: Friday, October 03, 2014 8:01 AM > To: dev...@li... > Subject: Re: [Devil-Linux-discuss] Shell shock bash fix > > I'm uploading the latest build into the testing folder, should be done in a > couple of hours. > Let me know how it looks. > > Any suggestions on how long we should wait to see if another bash patch > comes out, before I officially release 1.6.6? > > Heiko > > -----Original Message----- > From: Heiko Zuerker [mailto:he...@zu...] > Sent: Thursday, October 02, 2014 3:44 PM > To: dev...@li... > Subject: Re: [Devil-Linux-discuss] Shell shock bash fix > > The latest patch is in CVS now. > I'm booting my firewall from a USB stick and have no issues with it. > > I think there's one piece that prevents us from unmounting the disk > completely. If I remember correctly, it's part of the initrd script if you > want to dig around. > > Heiko > > Quoting Dominic Raferd <do...@ti...>: > >>> It seems that they keep finding issues in bash right now, so we'll >>> gotta keep an eye on that for a bit. >> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >> and >> CVE-2014-7187 - tests at >> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >> patches for bash 4.2 to fix this are at >> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >> >> Off topic sorry, but since we are looking to a new release of DL: >> >> 1. I have had a problem for the last year or two that I cannot get any >> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >> I admit has some security advantages). I have assumed this is >> something to do with my motherboard/BIOS settings (though I have >> tweaked these without success), but I wondered if anyone else has had >> the same difficulties? I have tried with both Syslinux and Grub boot > loaders. >> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >> even if I have chosen to load and run the system from RAM - i.e. the >> eject button on the drive does not work. Is this by design? It >> certainly makes upgrading more of a faff, because I can only change >> the disk after the machine reboots, and then the machine usually has >> to be physically rebooted again to get the new disk to boot. >> >> Dominic >> >> On 30/09/2014 19:35, Dominic Raferd wrote: >>> Seems good. Many thanks. >>> >>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>> :;}; echo vulnerable' bash -c "echo test" >>> test >>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>> "echo date"; cat /tmp/echo date >>> cat: /tmp/echo: No such file or directory >>> >>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>> The compile finished successfully last night and I'm uploading into >>>> the testing folder right now. >>>> It'll take a couple hours for it to complete. >>>> >>>> Please test and let me know if you confirm that the bug is resolved. >>>> It seems that they keep finding issues in bash right now, so we'll >>>> gotta keep an eye on that for a bit. >>>> >>>> Heiko >>>> >>>> Quoting Heiko Zuerker <he...@zu...>: >>>> >>>>> The latest patches are in CVS, we'll see how the compile tonight goes. >>>>> >>>>> Regards >>>>> Heiko Zuerker >>>>> >>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>> <do...@ti...> wrote: >>>>>> >>>>>> Hope you had a good break Heiko! >>>>>> >>>>>> For DL, I haven't seen or heard of a patch, and >>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>> least in the meantime bash source has been better patched by those >>>>>> good redhat people >>>>>> > http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115 > /... >>>>>> Dominic >>>>>> >>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>> patch > yet? >>>>>>> Heiko >>>>>>> >>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>> >>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>> shock bug asap >>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>> Andrzej, Heiko, anyone? >>>>>>>> >>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>> >>>>>>>> >>>>>>>> ---------------------------------------------------------------- >>>>>>>> -------------- >>>>>>>> >>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>> EventLog Analyzer >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>> /ostg.clktrk >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Devil-linux-discuss mailing list >>>>>>>> Dev...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> ------------------------------------------------------------------ >>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>> stg.clktrk _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> ------------------------------------------------------------------- >>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>> with EventLog Analyzer >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>> tg.clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> --------------------------------------------------------------------- >>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>> EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>> .clktrk _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> ---------------------------------------------------------------------- >> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >> EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >> clktrk _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > |
From: Heiko Z. <he...@zu...> - 2014-10-06 13:14:36
|
I'm uploading the latest and greatest build right now. It includes the latest bash patches and a couple of other software updates. The upload should be finished in latest in 2-3 hours from the time I sent this email. Let me know how the testing goes. Heiko Quoting Dominic Raferd <do...@ti...>: > 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 > and CVE-2014-7187, sorry. > > Dominic > > On 04/10/2014 14:03, hz wrote: >> Another patch was released. It's in CVS already. >> >> Best Regards >> Heiko Zuerker >> >> -----Original Message----- >> From: hz [mailto:he...@zu...] >> Sent: Friday, October 03, 2014 8:01 AM >> To: dev...@li... >> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >> >> I'm uploading the latest build into the testing folder, should be done > in a >> couple of hours. >> Let me know how it looks. >> >> Any suggestions on how long we should wait to see if another bash patch >> comes out, before I officially release 1.6.6? >> >> Heiko >> >> -----Original Message----- >> From: Heiko Zuerker [mailto:he...@zu...] >> Sent: Thursday, October 02, 2014 3:44 PM >> To: dev...@li... >> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >> >> The latest patch is in CVS now. >> I'm booting my firewall from a USB stick and have no issues with it. >> >> I think there's one piece that prevents us from unmounting the disk >> completely. If I remember correctly, it's part of the initrd script if > you >> want to dig around. >> >> Heiko >> >> Quoting Dominic Raferd <do...@ti...>: >> >>>> It seems that they keep finding issues in bash right now, so we'll >>>> gotta keep an eye on that for a bit. >>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>> and >>> CVE-2014-7187 - tests at >>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>> patches for bash 4.2 to fix this are at >>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>> >>> Off topic sorry, but since we are looking to a new release of DL: >>> >>> 1. I have had a problem for the last year or two that I cannot get any >>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>> I admit has some security advantages). I have assumed this is >>> something to do with my motherboard/BIOS settings (though I have >>> tweaked these without success), but I wondered if anyone else has had >>> the same difficulties? I have tried with both Syslinux and Grub boot >> loaders. >>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>> even if I have chosen to load and run the system from RAM - i.e. the >>> eject button on the drive does not work. Is this by design? It >>> certainly makes upgrading more of a faff, because I can only change >>> the disk after the machine reboots, and then the machine usually has >>> to be physically rebooted again to get the new disk to boot. >>> >>> Dominic >>> >>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>> Seems good. Many thanks. >>>> >>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>> :;}; echo vulnerable' bash -c "echo test" >>>> test >>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>> "echo date"; cat /tmp/echo date >>>> cat: /tmp/echo: No such file or directory >>>> >>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>> The compile finished successfully last night and I'm uploading into >>>>> the testing folder right now. >>>>> It'll take a couple hours for it to complete. >>>>> >>>>> Please test and let me know if you confirm that the bug is resolved. >>>>> It seems that they keep finding issues in bash right now, so we'll >>>>> gotta keep an eye on that for a bit. >>>>> >>>>> Heiko >>>>> >>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>> >>>>>> The latest patches are in CVS, we'll see how the compile tonight > goes. >>>>>> >>>>>> Regards >>>>>> Heiko Zuerker >>>>>> >>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>> <do...@ti...> wrote: >>>>>>> >>>>>>> Hope you had a good break Heiko! >>>>>>> >>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>> least in the meantime bash source has been better patched by those >>>>>>> good redhat people >>>>>>> >> > http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 > 15 >> /... >>>>>>> Dominic >>>>>>> >>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>> patch >> yet? >>>>>>>> Heiko >>>>>>>> >>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>> >>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>> shock bug asap >>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>> >>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>> >>>>>>>>> >>>>>>>>> ---------------------------------------------------------------- >>>>>>>>> -------------- >>>>>>>>> >>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>> EventLog Analyzer >>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>> /ostg.clktrk >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>> Dev...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>> ------------------------------------------------------------------ >>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>> stg.clktrk _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> ------------------------------------------------------------------- >>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>> with EventLog Analyzer >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>> tg.clktrk _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> --------------------------------------------------------------------- >>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>> EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>> .clktrk _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >>> ---------------------------------------------------------------------- >>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>> EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>> clktrk _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> > > > -------------------------------------------------------------------------- > ---- > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt > rk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
From: Dominic R. <do...@ti...> - 2014-10-07 11:34:28
|
The new version passes both those bash shellshock tests, thanks Heiko. I have solved my boot-from-USB issue. I have worked around the locked CD/DVD drive issue by adding this to /etc/init.d/boot.local: # if running from ram or not booting from CD/DVD, and CD/DVD drive is locked, unlock it [ -f /shm/dl_run_from_ram -o -z "$(grep -E "^/dev/(cdrom|sr)" /shm/DL_DEVICE)" ] && [ "$(cat /proc/sys/dev/cdrom/lock 2>/dev/null)" = "1" ] && echo 0 >/proc/sys/dev/cdrom/lock Sadly udev doesn't detect disks being inserted or removed, maybe this is because DL lacks 'udisks', so after a physical load I have to execute CLI mount, and similarly umount is required to eject a disk (the eject button doesn't work if the disk is mounted). (DL also lacks the 'eject' command BTW.) Dominic On 06/10/2014 14:14, Heiko Zuerker wrote: > I'm uploading the latest and greatest build right now. > It includes the latest bash patches and a couple of other software updates. > The upload should be finished in latest in 2-3 hours from the time I > sent this email. > > Let me know how the testing goes. > > Heiko > > Quoting Dominic Raferd <do...@ti...>: > >> 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 >> and CVE-2014-7187, sorry. >> >> Dominic >> >> On 04/10/2014 14:03, hz wrote: >>> Another patch was released. It's in CVS already. >>> >>> Best Regards >>> Heiko Zuerker >>> >>> -----Original Message----- >>> From: hz [mailto:he...@zu...] >>> Sent: Friday, October 03, 2014 8:01 AM >>> To: dev...@li... >>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>> >>> I'm uploading the latest build into the testing folder, should be done >> in a >>> couple of hours. >>> Let me know how it looks. >>> >>> Any suggestions on how long we should wait to see if another bash patch >>> comes out, before I officially release 1.6.6? >>> >>> Heiko >>> >>> -----Original Message----- >>> From: Heiko Zuerker [mailto:he...@zu...] >>> Sent: Thursday, October 02, 2014 3:44 PM >>> To: dev...@li... >>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>> >>> The latest patch is in CVS now. >>> I'm booting my firewall from a USB stick and have no issues with it. >>> >>> I think there's one piece that prevents us from unmounting the disk >>> completely. If I remember correctly, it's part of the initrd script if >> you >>> want to dig around. >>> >>> Heiko >>> >>> Quoting Dominic Raferd <do...@ti...>: >>> >>>>> It seems that they keep finding issues in bash right now, so we'll >>>>> gotta keep an eye on that for a bit. >>>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>>> and >>>> CVE-2014-7187 - tests at >>>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>>> patches for bash 4.2 to fix this are at >>>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>>> >>>> Off topic sorry, but since we are looking to a new release of DL: >>>> >>>> 1. I have had a problem for the last year or two that I cannot get any >>>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>>> I admit has some security advantages). I have assumed this is >>>> something to do with my motherboard/BIOS settings (though I have >>>> tweaked these without success), but I wondered if anyone else has had >>>> the same difficulties? I have tried with both Syslinux and Grub boot >>> loaders. >>>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>>> even if I have chosen to load and run the system from RAM - i.e. the >>>> eject button on the drive does not work. Is this by design? It >>>> certainly makes upgrading more of a faff, because I can only change >>>> the disk after the machine reboots, and then the machine usually has >>>> to be physically rebooted again to get the new disk to boot. >>>> >>>> Dominic >>>> >>>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>>> Seems good. Many thanks. >>>>> >>>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>>> :;}; echo vulnerable' bash -c "echo test" >>>>> test >>>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>>> "echo date"; cat /tmp/echo date >>>>> cat: /tmp/echo: No such file or directory >>>>> >>>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>>> The compile finished successfully last night and I'm uploading into >>>>>> the testing folder right now. >>>>>> It'll take a couple hours for it to complete. >>>>>> >>>>>> Please test and let me know if you confirm that the bug is resolved. >>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>> gotta keep an eye on that for a bit. >>>>>> >>>>>> Heiko >>>>>> >>>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>>> >>>>>>> The latest patches are in CVS, we'll see how the compile tonight >> goes. >>>>>>> Regards >>>>>>> Heiko Zuerker >>>>>>> >>>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>>> <do...@ti...> wrote: >>>>>>>> >>>>>>>> Hope you had a good break Heiko! >>>>>>>> >>>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>>> least in the meantime bash source has been better patched by those >>>>>>>> good redhat people >>>>>>>> >> http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 >> 15 >>> /... >>>>>>>> Dominic >>>>>>>> >>>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>>> patch >>> yet? >>>>>>>>> Heiko >>>>>>>>> >>>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>>> >>>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>>> shock bug asap >>>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>>> >>>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>> -------------- >>>>>>>>>> >>>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>>> EventLog Analyzer >>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>>> /ostg.clktrk >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>> Dev...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>> ------------------------------------------------------------------ >>>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>>> stg.clktrk _______________________________________________ >>>>>>>> Devil-linux-discuss mailing list >>>>>>>> Dev...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>> ------------------------------------------------------------------- >>>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>>> with EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>>> tg.clktrk _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> --------------------------------------------------------------------- >>>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>> EventLog Analyzer >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>>> .clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> ---------------------------------------------------------------------- >>>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>> EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>>> clktrk _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >> >> -------------------------------------------------------------------------- >> ---- >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt >> rk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > |
From: Heiko Z. <he...@zu...> - 2014-10-08 12:39:58
|
Another bash patch came out. I added it to CVS. Heiko Quoting Dominic Raferd <do...@ti...>: > The new version passes both those bash shellshock tests, thanks Heiko. > > I have solved my boot-from-USB issue. I have worked around the locked > CD/DVD drive issue by adding this to /etc/init.d/boot.local: > > # if running from ram or not booting from CD/DVD, and CD/DVD drive is > locked, unlock it > [ -f /shm/dl_run_from_ram -o -z "$(grep -E "^/dev/(cdrom|sr)" > /shm/DL_DEVICE)" ] && [ "$(cat /proc/sys/dev/cdrom/lock 2>/dev/null)" = > "1" ] && echo 0 >/proc/sys/dev/cdrom/lock > > Sadly udev doesn't detect disks being inserted or removed, maybe this is > because DL lacks 'udisks', so after a physical load I have to execute > CLI mount, and similarly umount is required to eject a disk (the eject > button doesn't work if the disk is mounted). (DL also lacks the 'eject' > command BTW.) > > Dominic > > On 06/10/2014 14:14, Heiko Zuerker wrote: >> I'm uploading the latest and greatest build right now. >> It includes the latest bash patches and a couple of other software updates. >> The upload should be finished in latest in 2-3 hours from the time I >> sent this email. >> >> Let me know how the testing goes. >> >> Heiko >> >> Quoting Dominic Raferd <do...@ti...>: >> >>> 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 >>> and CVE-2014-7187, sorry. >>> >>> Dominic >>> >>> On 04/10/2014 14:03, hz wrote: >>>> Another patch was released. It's in CVS already. >>>> >>>> Best Regards >>>> Heiko Zuerker >>>> >>>> -----Original Message----- >>>> From: hz [mailto:he...@zu...] >>>> Sent: Friday, October 03, 2014 8:01 AM >>>> To: dev...@li... >>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>> >>>> I'm uploading the latest build into the testing folder, should be done >>> in a >>>> couple of hours. >>>> Let me know how it looks. >>>> >>>> Any suggestions on how long we should wait to see if another bash patch >>>> comes out, before I officially release 1.6.6? >>>> >>>> Heiko >>>> >>>> -----Original Message----- >>>> From: Heiko Zuerker [mailto:he...@zu...] >>>> Sent: Thursday, October 02, 2014 3:44 PM >>>> To: dev...@li... >>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>> >>>> The latest patch is in CVS now. >>>> I'm booting my firewall from a USB stick and have no issues with it. >>>> >>>> I think there's one piece that prevents us from unmounting the disk >>>> completely. If I remember correctly, it's part of the initrd script if >>> you >>>> want to dig around. >>>> >>>> Heiko >>>> >>>> Quoting Dominic Raferd <do...@ti...>: >>>> >>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>> gotta keep an eye on that for a bit. >>>>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>>>> and >>>>> CVE-2014-7187 - tests at >>>>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>>>> patches for bash 4.2 to fix this are at >>>>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>>>> >>>>> Off topic sorry, but since we are looking to a new release of DL: >>>>> >>>>> 1. I have had a problem for the last year or two that I cannot get any >>>>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>>>> I admit has some security advantages). I have assumed this is >>>>> something to do with my motherboard/BIOS settings (though I have >>>>> tweaked these without success), but I wondered if anyone else has had >>>>> the same difficulties? I have tried with both Syslinux and Grub boot >>>> loaders. >>>>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>>>> even if I have chosen to load and run the system from RAM - i.e. the >>>>> eject button on the drive does not work. Is this by design? It >>>>> certainly makes upgrading more of a faff, because I can only change >>>>> the disk after the machine reboots, and then the machine usually has >>>>> to be physically rebooted again to get the new disk to boot. >>>>> >>>>> Dominic >>>>> >>>>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>>>> Seems good. Many thanks. >>>>>> >>>>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>>>> :;}; echo vulnerable' bash -c "echo test" >>>>>> test >>>>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>>>> "echo date"; cat /tmp/echo date >>>>>> cat: /tmp/echo: No such file or directory >>>>>> >>>>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>>>> The compile finished successfully last night and I'm uploading into >>>>>>> the testing folder right now. >>>>>>> It'll take a couple hours for it to complete. >>>>>>> >>>>>>> Please test and let me know if you confirm that the bug is resolved. >>>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>>> gotta keep an eye on that for a bit. >>>>>>> >>>>>>> Heiko >>>>>>> >>>>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>>>> >>>>>>>> The latest patches are in CVS, we'll see how the compile tonight >>> goes. >>>>>>>> Regards >>>>>>>> Heiko Zuerker >>>>>>>> >>>>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>>>> <do...@ti...> wrote: >>>>>>>>> >>>>>>>>> Hope you had a good break Heiko! >>>>>>>>> >>>>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>>>> least in the meantime bash source has been better patched by those >>>>>>>>> good redhat people >>>>>>>>> >>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 >>> 15 >>>> /... >>>>>>>>> Dominic >>>>>>>>> >>>>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>>>> patch >>>> yet? >>>>>>>>>> Heiko >>>>>>>>>> >>>>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>>>> >>>>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>>>> shock bug asap >>>>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>>>> >>>>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>>> -------------- >>>>>>>>>>> >>>>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>>>> EventLog Analyzer >>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>>>> /ostg.clktrk >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>>> Dev...@li... >>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>>> ------------------------------------------------------------------ >>>>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>>>> stg.clktrk _______________________________________________ >>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>> Dev...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>> ------------------------------------------------------------------- >>>>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>>>> with EventLog Analyzer >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>>>> tg.clktrk _______________________________________________ >>>>>>>> Devil-linux-discuss mailing list >>>>>>>> Dev...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> --------------------------------------------------------------------- >>>>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>> EventLog Analyzer >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>>>> .clktrk _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> ---------------------------------------------------------------------- >>>>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>> EventLog Analyzer >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>>>> clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> >>> >>> -------------------------------------------------------------------------- >>> ---- >>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt >>> rk >>> _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
From: Heiko Z. <he...@zu...> - 2014-10-11 18:10:22
|
The latest and greatest test build is in the testing directory now. If everything goes well, this will become the official 1.6.6. Heiko Quoting Heiko Zuerker <he...@zu...>: > Another bash patch came out. I added it to CVS. > > Heiko > > Quoting Dominic Raferd <do...@ti...>: > >> The new version passes both those bash shellshock tests, thanks Heiko. >> >> I have solved my boot-from-USB issue. I have worked around the locked >> CD/DVD drive issue by adding this to /etc/init.d/boot.local: >> >> # if running from ram or not booting from CD/DVD, and CD/DVD drive is >> locked, unlock it >> [ -f /shm/dl_run_from_ram -o -z "$(grep -E "^/dev/(cdrom|sr)" >> /shm/DL_DEVICE)" ] && [ "$(cat /proc/sys/dev/cdrom/lock 2>/dev/null)" = >> "1" ] && echo 0 >/proc/sys/dev/cdrom/lock >> >> Sadly udev doesn't detect disks being inserted or removed, maybe this is >> because DL lacks 'udisks', so after a physical load I have to execute >> CLI mount, and similarly umount is required to eject a disk (the eject >> button doesn't work if the disk is mounted). (DL also lacks the 'eject' >> command BTW.) >> >> Dominic >> >> On 06/10/2014 14:14, Heiko Zuerker wrote: >>> I'm uploading the latest and greatest build right now. >>> It includes the latest bash patches and a couple of other software updates. >>> The upload should be finished in latest in 2-3 hours from the time I >>> sent this email. >>> >>> Let me know how the testing goes. >>> >>> Heiko >>> >>> Quoting Dominic Raferd <do...@ti...>: >>> >>>> 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 >>>> and CVE-2014-7187, sorry. >>>> >>>> Dominic >>>> >>>> On 04/10/2014 14:03, hz wrote: >>>>> Another patch was released. It's in CVS already. >>>>> >>>>> Best Regards >>>>> Heiko Zuerker >>>>> >>>>> -----Original Message----- >>>>> From: hz [mailto:he...@zu...] >>>>> Sent: Friday, October 03, 2014 8:01 AM >>>>> To: dev...@li... >>>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>>> >>>>> I'm uploading the latest build into the testing folder, should be done >>>> in a >>>>> couple of hours. >>>>> Let me know how it looks. >>>>> >>>>> Any suggestions on how long we should wait to see if another bash patch >>>>> comes out, before I officially release 1.6.6? >>>>> >>>>> Heiko >>>>> >>>>> -----Original Message----- >>>>> From: Heiko Zuerker [mailto:he...@zu...] >>>>> Sent: Thursday, October 02, 2014 3:44 PM >>>>> To: dev...@li... >>>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>>> >>>>> The latest patch is in CVS now. >>>>> I'm booting my firewall from a USB stick and have no issues with it. >>>>> >>>>> I think there's one piece that prevents us from unmounting the disk >>>>> completely. If I remember correctly, it's part of the initrd script if >>>> you >>>>> want to dig around. >>>>> >>>>> Heiko >>>>> >>>>> Quoting Dominic Raferd <do...@ti...>: >>>>> >>>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>>> gotta keep an eye on that for a bit. >>>>>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>>>>> and >>>>>> CVE-2014-7187 - tests at >>>>>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>>>>> patches for bash 4.2 to fix this are at >>>>>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>>>>> >>>>>> Off topic sorry, but since we are looking to a new release of DL: >>>>>> >>>>>> 1. I have had a problem for the last year or two that I cannot get any >>>>>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>>>>> I admit has some security advantages). I have assumed this is >>>>>> something to do with my motherboard/BIOS settings (though I have >>>>>> tweaked these without success), but I wondered if anyone else has had >>>>>> the same difficulties? I have tried with both Syslinux and Grub boot >>>>> loaders. >>>>>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>>>>> even if I have chosen to load and run the system from RAM - i.e. the >>>>>> eject button on the drive does not work. Is this by design? It >>>>>> certainly makes upgrading more of a faff, because I can only change >>>>>> the disk after the machine reboots, and then the machine usually has >>>>>> to be physically rebooted again to get the new disk to boot. >>>>>> >>>>>> Dominic >>>>>> >>>>>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>>>>> Seems good. Many thanks. >>>>>>> >>>>>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>>>>> :;}; echo vulnerable' bash -c "echo test" >>>>>>> test >>>>>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>>>>> "echo date"; cat /tmp/echo date >>>>>>> cat: /tmp/echo: No such file or directory >>>>>>> >>>>>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>>>>> The compile finished successfully last night and I'm uploading into >>>>>>>> the testing folder right now. >>>>>>>> It'll take a couple hours for it to complete. >>>>>>>> >>>>>>>> Please test and let me know if you confirm that the bug is resolved. >>>>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>>>> gotta keep an eye on that for a bit. >>>>>>>> >>>>>>>> Heiko >>>>>>>> >>>>>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>>>>> >>>>>>>>> The latest patches are in CVS, we'll see how the compile tonight >>>> goes. >>>>>>>>> Regards >>>>>>>>> Heiko Zuerker >>>>>>>>> >>>>>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>>>>> <do...@ti...> wrote: >>>>>>>>>> >>>>>>>>>> Hope you had a good break Heiko! >>>>>>>>>> >>>>>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>>>>> least in the meantime bash source has been better patched by those >>>>>>>>>> good redhat people >>>>>>>>>> >>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 >>>> 15 >>>>> /... >>>>>>>>>> Dominic >>>>>>>>>> >>>>>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>>>>> patch >>>>> yet? >>>>>>>>>>> Heiko >>>>>>>>>>> >>>>>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>>>>> >>>>>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>>>>> shock bug asap >>>>>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>>>>> >>>>>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>>>> -------------- >>>>>>>>>>>> >>>>>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>>>>> EventLog Analyzer >>>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>>>>> /ostg.clktrk >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>>>> Dev...@li... >>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>>>> ------------------------------------------------------------------ >>>>>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>>>>> stg.clktrk _______________________________________________ >>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>> Dev...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>>> ------------------------------------------------------------------- >>>>>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>>>>> with EventLog Analyzer >>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>>>>> tg.clktrk _______________________________________________ >>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>> Dev...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>> --------------------------------------------------------------------- >>>>>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>> EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>>>>> .clktrk _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> ---------------------------------------------------------------------- >>>>>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>> EventLog Analyzer >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>>>>> clktrk _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> >>>> >>>> -------------------------------------------------------------------------- >>>> ---- >>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt >>>> rk >>>> _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > > -- > > Regards > Heiko Zuerker > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
From: Dominic R. <do...@ti...> - 2014-10-12 06:17:52
Attachments:
install-on-usb.patch
|
Thanks Heiko, I'm now running this. I'm still investigating the Samba issue. I attach a patch for install-on-usb which allows it to be run (with warning) to the installation device if you are running from ram. It works, and means I don't have to be physically present to run an upgrade. Dominic On 11/10/2014 19:10, Heiko Zuerker wrote: > The latest and greatest test build is in the testing directory now. > If everything goes well, this will become the official 1.6.6. > > Heiko > > Quoting Heiko Zuerker <he...@zu...>: > >> Another bash patch came out. I added it to CVS. >> >> Heiko >> >> Quoting Dominic Raferd <do...@ti...>: >> >>> The new version passes both those bash shellshock tests, thanks Heiko. >>> >>> I have solved my boot-from-USB issue. I have worked around the locked >>> CD/DVD drive issue by adding this to /etc/init.d/boot.local: >>> >>> # if running from ram or not booting from CD/DVD, and CD/DVD drive is >>> locked, unlock it >>> [ -f /shm/dl_run_from_ram -o -z "$(grep -E "^/dev/(cdrom|sr)" >>> /shm/DL_DEVICE)" ] && [ "$(cat /proc/sys/dev/cdrom/lock 2>/dev/null)" = >>> "1" ] && echo 0 >/proc/sys/dev/cdrom/lock >>> >>> Sadly udev doesn't detect disks being inserted or removed, maybe this is >>> because DL lacks 'udisks', so after a physical load I have to execute >>> CLI mount, and similarly umount is required to eject a disk (the eject >>> button doesn't work if the disk is mounted). (DL also lacks the 'eject' >>> command BTW.) >>> >>> Dominic >>> >>> On 06/10/2014 14:14, Heiko Zuerker wrote: >>>> I'm uploading the latest and greatest build right now. >>>> It includes the latest bash patches and a couple of other software updates. >>>> The upload should be finished in latest in 2-3 hours from the time I >>>> sent this email. >>>> >>>> Let me know how the testing goes. >>>> >>>> Heiko >>>> >>>> Quoting Dominic Raferd <do...@ti...>: >>>> >>>>> 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 >>>>> and CVE-2014-7187, sorry. >>>>> >>>>> Dominic >>>>> >>>>> On 04/10/2014 14:03, hz wrote: >>>>>> Another patch was released. It's in CVS already. >>>>>> >>>>>> Best Regards >>>>>> Heiko Zuerker >>>>>> >>>>>> -----Original Message----- >>>>>> From: hz [mailto:he...@zu...] >>>>>> Sent: Friday, October 03, 2014 8:01 AM >>>>>> To: dev...@li... >>>>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>>>> >>>>>> I'm uploading the latest build into the testing folder, should be done >>>>> in a >>>>>> couple of hours. >>>>>> Let me know how it looks. >>>>>> >>>>>> Any suggestions on how long we should wait to see if another bash patch >>>>>> comes out, before I officially release 1.6.6? >>>>>> >>>>>> Heiko >>>>>> >>>>>> -----Original Message----- >>>>>> From: Heiko Zuerker [mailto:he...@zu...] >>>>>> Sent: Thursday, October 02, 2014 3:44 PM >>>>>> To: dev...@li... >>>>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>>>> >>>>>> The latest patch is in CVS now. >>>>>> I'm booting my firewall from a USB stick and have no issues with it. >>>>>> >>>>>> I think there's one piece that prevents us from unmounting the disk >>>>>> completely. If I remember correctly, it's part of the initrd script if >>>>> you >>>>>> want to dig around. >>>>>> >>>>>> Heiko >>>>>> >>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>> >>>>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>>>> gotta keep an eye on that for a bit. >>>>>>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>>>>>> and >>>>>>> CVE-2014-7187 - tests at >>>>>>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>>>>>> patches for bash 4.2 to fix this are at >>>>>>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>>>>>> >>>>>>> Off topic sorry, but since we are looking to a new release of DL: >>>>>>> >>>>>>> 1. I have had a problem for the last year or two that I cannot get any >>>>>>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>>>>>> I admit has some security advantages). I have assumed this is >>>>>>> something to do with my motherboard/BIOS settings (though I have >>>>>>> tweaked these without success), but I wondered if anyone else has had >>>>>>> the same difficulties? I have tried with both Syslinux and Grub boot >>>>>> loaders. >>>>>>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>>>>>> even if I have chosen to load and run the system from RAM - i.e. the >>>>>>> eject button on the drive does not work. Is this by design? It >>>>>>> certainly makes upgrading more of a faff, because I can only change >>>>>>> the disk after the machine reboots, and then the machine usually has >>>>>>> to be physically rebooted again to get the new disk to boot. >>>>>>> >>>>>>> Dominic >>>>>>> >>>>>>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>>>>>> Seems good. Many thanks. >>>>>>>> >>>>>>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>>>>>> :;}; echo vulnerable' bash -c "echo test" >>>>>>>> test >>>>>>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>>>>>> "echo date"; cat /tmp/echo date >>>>>>>> cat: /tmp/echo: No such file or directory >>>>>>>> >>>>>>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>>>>>> The compile finished successfully last night and I'm uploading into >>>>>>>>> the testing folder right now. >>>>>>>>> It'll take a couple hours for it to complete. >>>>>>>>> >>>>>>>>> Please test and let me know if you confirm that the bug is resolved. >>>>>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>>>>> gotta keep an eye on that for a bit. >>>>>>>>> >>>>>>>>> Heiko >>>>>>>>> >>>>>>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>>>>>> >>>>>>>>>> The latest patches are in CVS, we'll see how the compile tonight >>>>> goes. >>>>>>>>>> Regards >>>>>>>>>> Heiko Zuerker >>>>>>>>>> >>>>>>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>>>>>> <do...@ti...> wrote: >>>>>>>>>>> >>>>>>>>>>> Hope you had a good break Heiko! >>>>>>>>>>> >>>>>>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>>>>>> least in the meantime bash source has been better patched by those >>>>>>>>>>> good redhat people >>>>>>>>>>> >>>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 >>>>> 15 >>>>>> /... >>>>>>>>>>> Dominic >>>>>>>>>>> >>>>>>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>>>>>> patch >>>>>> yet? >>>>>>>>>>>> Heiko >>>>>>>>>>>> >>>>>>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>>>>>> >>>>>>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>>>>>> shock bug asap >>>>>>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>>>>> -------------- >>>>>>>>>>>>> >>>>>>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>>>>>> EventLog Analyzer >>>>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>>>>>> /ostg.clktrk >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>>>>> Dev...@li... >>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>>>>> ------------------------------------------------------------------ >>>>>>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>>>>>> stg.clktrk _______________________________________________ >>>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>>> Dev...@li... >>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>>>> ------------------------------------------------------------------- >>>>>>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>>>>>> with EventLog Analyzer >>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>>>>>> tg.clktrk _______________________________________________ >>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>> Dev...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>> --------------------------------------------------------------------- >>>>>>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>> EventLog Analyzer >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>>>>>> .clktrk _______________________________________________ >>>>>>>> Devil-linux-discuss mailing list >>>>>>>> Dev...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>> ---------------------------------------------------------------------- >>>>>>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>> EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>>>>>> clktrk _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> -------------------------------------------------------------------------- >>>>> ---- >>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt >>>>> rk >>>>> _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> >>> >>> ------------------------------------------------------------------------------ >>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> >> -- >> >> Regards >> Heiko Zuerker >> >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > -- *TimeDicer* <http://www.timedicer.co.uk>: Free File Recovery from Whenever |
From: Udo L. <udo...@al...> - 2014-10-13 14:28:54
|
Hi Heiko, thanks for the good support! I have update some web-, ftp- and one mailserver (with additional software for dovecot-sieve and roundcube) on last weekend. All run well! Udo Am 11.10.2014 20:10, schrieb Heiko Zuerker: > The latest and greatest test build is in the testing directory now. > If everything goes well, this will become the official 1.6.6. > > Heiko > |
From: Heiko Z. <he...@zu...> - 2014-10-13 18:30:48
|
I uploaded the official 1.6.6 to the FTP server and sourceforge. Not sure yet when I'll get a chance to send out the official announcement and update the website. -- Regards Heiko Zuerker |
From: Udo L. <udo...@al...> - 2014-10-16 04:45:20
|
Hi, unfortunality a little bit to fast: https://www.openssl.org/news/secadv_20141015.txt :-( Sounds like an Update-War. Udo On 13.10.2014 20:30, Heiko Zuerker wrote: > I uploaded the official 1.6.6 to the FTP server and sourceforge. > Not sure yet when I'll get a chance to send out the official > announcement and update the website. > |
From: Heiko Z. <he...@zu...> - 2014-10-18 13:35:13
|
The latest openssl is in CVS now. Heiko Quoting Udo Lembke <udo...@al...>: > Hi, > unfortunality a little bit to fast: > https://www.openssl.org/news/secadv_20141015.txt > > :-( > > Sounds like an Update-War. > > > Udo > > On 13.10.2014 20:30, Heiko Zuerker wrote: >> I uploaded the official 1.6.6 to the FTP server and sourceforge. >> Not sure yet when I'll get a chance to send out the official >> announcement and update the website. >> > > > ------------------------------------------------------------------------------ > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://p.sf.net/sfu/Zoho > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
From: Ma p. <the...@gm...> - 2014-11-04 14:53:39
|
Hi, Don't you think that you should release an official iso with this bug correction to avoid people to use a vulnerable release (1.6.6)? Regards. 2014-10-18 15:35 GMT+02:00 Heiko Zuerker <he...@zu...>: > The latest openssl is in CVS now. > > Heiko > > Quoting Udo Lembke <udo...@al...>: > > > Hi, > > unfortunality a little bit to fast: > > https://www.openssl.org/news/secadv_20141015.txt > > > > :-( > > > > Sounds like an Update-War. > > > > > > Udo > > > > On 13.10.2014 20:30, Heiko Zuerker wrote: > >> I uploaded the official 1.6.6 to the FTP server and sourceforge. > >> Not sure yet when I'll get a chance to send out the official > >> announcement and update the website. > >> > > > > > > > ------------------------------------------------------------------------------ > > Comprehensive Server Monitoring with Site24x7. > > Monitor 10 servers for $9/Month. > > Get alerted through email, SMS, voice calls or mobile push notifications. > > Take corrective actions from your mobile device. > > http://p.sf.net/sfu/Zoho > > _______________________________________________ > > Devil-linux-discuss mailing list > > Dev...@li... > > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > > -- > > Regards > Heiko Zuerker > > > ------------------------------------------------------------------------------ > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://p.sf.net/sfu/Zoho > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > |
From: Heiko Z. <he...@zu...> - 2014-11-05 12:08:19
|
Agreed, but 1.6.7 is not ready yet. I need to do a few more updates, which are not yet complete. Unfortunately life keeps getting into the way of my hobbies (DL is one of those)... I'm uploading the latest (working) test build to ftp://ftp.devil-linux.org/pub/devel/testing right now, which includes the fix. Should be complete in an hour or two from the time I sent this email. Heiko Quoting Ma poubelle <the...@gm...>: > Hi, > > Don't you think that you should release an official iso with this bug > correction to avoid people to use a vulnerable release (1.6.6)? > > Regards. > > 2014-10-18 15:35 GMT+02:00 Heiko Zuerker <he...@zu...>: > >> The latest openssl is in CVS now. >> >> Heiko >> >> Quoting Udo Lembke <udo...@al...>: >> >>> Hi, >>> unfortunality a little bit to fast: >>> https://www.openssl.org/news/secadv_20141015.txt >>> >>> :-( >>> >>> Sounds like an Update-War. >>> >>> >>> Udo >>> >>> On 13.10.2014 20:30, Heiko Zuerker wrote: >>>> I uploaded the official 1.6.6 to the FTP server and sourceforge. >>>> Not sure yet when I'll get a chance to send out the official >>>> announcement and update the website. >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Comprehensive Server Monitoring with Site24x7. >>> Monitor 10 servers for $9/Month. >>> Get alerted through email, SMS, voice calls or mobile push >>> notifications. >>> Take corrective actions from your mobile device. >>> http://p.sf.net/sfu/Zoho >>> _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> >> >> -- >> >> Regards >> Heiko Zuerker >> >> ------------------------------------------------------------------------------ >> Comprehensive Server Monitoring with Site24x7. >> Monitor 10 servers for $9/Month. >> Get alerted through email, SMS, voice calls or mobile push notifications. >> Take corrective actions from your mobile device. >> http://p.sf.net/sfu/Zoho >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
From: Ma p. <the...@gm...> - 2014-11-20 10:51:12
|
Thanks for your answer. Do you know approximately when you will release the 1.6.7. (just to planify our migration) Thanks a lot for your great job Regards 2014-11-05 13:08 GMT+01:00 Heiko Zuerker <he...@zu...>: > Agreed, but 1.6.7 is not ready yet. I need to do a few more updates, > which are not yet complete. Unfortunately life keeps getting into the way > of my hobbies (DL is one of those)... > > I'm uploading the latest (working) test build to > ftp://ftp.devil-linux.org/pub/devel/testing right now, which includes the > fix. Should be complete in an hour or two from the time I sent this email. > > Heiko > > Quoting Ma poubelle <the...@gm...>: > > Hi, > > Don't you think that you should release an official iso with this bug > correction to avoid people to use a vulnerable release (1.6.6)? > > Regards. > > 2014-10-18 15:35 GMT+02:00 Heiko Zuerker <he...@zu...>: > >> The latest openssl is in CVS now. >> >> Heiko >> >> Quoting Udo Lembke <udo...@al...>: >> >> > Hi, >> > unfortunality a little bit to fast: >> > https://www.openssl.org/news/secadv_20141015.txt >> > >> > :-( >> > >> > Sounds like an Update-War. >> > >> > >> > Udo >> > >> > On 13.10.2014 20:30, Heiko Zuerker wrote: >> >> I uploaded the official 1.6.6 to the FTP server and sourceforge. >> >> Not sure yet when I'll get a chance to send out the official >> >> announcement and update the website. >> >> >> > >> > >> > >> ------------------------------------------------------------------------------ >> > Comprehensive Server Monitoring with Site24x7. >> > Monitor 10 servers for $9/Month. >> > Get alerted through email, SMS, voice calls or mobile push >> notifications. >> > Take corrective actions from your mobile device. >> > http://p.sf.net/sfu/Zoho >> > _______________________________________________ >> > Devil-linux-discuss mailing list >> > Dev...@li... >> > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> >> >> -- >> >> Regards >> Heiko Zuerker >> >> >> ------------------------------------------------------------------------------ >> Comprehensive Server Monitoring with Site24x7. >> Monitor 10 servers for $9/Month. >> Get alerted through email, SMS, voice calls or mobile push notifications. >> Take corrective actions from your mobile device. >> http://p.sf.net/sfu/Zoho >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> > > > > -- > > Regards > Heiko Zuerker > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > |
From: Heiko Z. <he...@zu...> - 2014-11-21 13:31:33
|
Hey, Sorry for the late responses to my emails, things have been busy... I'm hoping to complete this in the next couple of weeks, but can't make any promises. Heiko Quoting Ma poubelle <the...@gm...>: > Thanks for your answer. > > Do you know approximately when you will release the 1.6.7. (just to > planify > our migration) > > Thanks a lot for your great job > > Regards > > > 2014-11-05 13:08 GMT+01:00 Heiko Zuerker <he...@zu...>: > >> _Agreed, but 1.6.7 is not ready yet. I need to do a few more updates, >> which are not yet complete. Unfortunately life keeps getting into the >> way of my hobbies (DL is one of those)... >> >> I'm uploading the latest (working) test build >> to ftp://ftp.devil-linux.org/pub/devel/testing right now, which >> includes the fix. Should be complete in an hour or two from the time I >> sent this email. >> >> Heiko >> >> Quoting Ma poubelle <the...@gm...>:_ >> >>> _Hi, >>> >>> Don't you think that you should release an official iso with this bug >>> correction to avoid people to use a vulnerable release (1.6.6)? >>> >>> Regards._ >>> >>> _2014-10-18 15:35 GMT+02:00 Heiko Zuerker >>> <he...@zu...>:_ >>> >>>> _The latest openssl is in CVS now. >>>> >>>> Heiko_ >>>> >>>> _Quoting Udo Lembke <udo...@al...>: >>>> >>>>> Hi, >>>>> unfortunality a little bit to fast: >>>>> https://www.openssl.org/news/secadv_20141015.txt >>>>> >>>>> :-( >>>>> >>>>> Sounds like an Update-War. >>>>> >>>>> >>>>> Udo >>>>> >>>>> On 13.10.2014 20:30, Heiko Zuerker wrote: >>>>>> I uploaded the official 1.6.6 to the FTP server and sourceforge. >>>>>> Not sure yet when I'll get a chance to send out the official >>>>>> announcement and update the website. >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Comprehensive Server Monitoring with Site24x7. >>>>> Monitor 10 servers for $9/Month. >>>>> Get alerted through email, SMS, voice calls or mobile push >>>>> notifications. >>>>> Take corrective actions from your mobile device. >>>>> http://p.sf.net/sfu/Zoho >>>>> _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> >>>> _ >>>> >>>> _-- >>>> >>>> Regards >>>> Heiko Zuerker_ >>>> >>>> _------------------------------------------------------------------------------ >>>> Comprehensive Server Monitoring with Site24x7. >>>> Monitor 10 servers for $9/Month. >>>> Get alerted through email, SMS, voice calls or mobile push >>>> notifications. >>>> Take corrective actions from your mobile device. >>>> http://p.sf.net/sfu/Zoho >>>> _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss_ >> >> >> >> >> _-- >> >> Regards >> Heiko Zuerker >> _ >> >> _------------------------------------------------------------------------------ >> >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss_ >> -- Regards Heiko Zuerker |
From: Udo L. <udo...@al...> - 2014-12-01 21:56:43
|
Hi Heiko, please add the actual OpenVPN in 1.6.7: https://forums.openvpn.net/topic17625.html Thanks a lot for the good work! Udo On 21.11.2014 14:31, Heiko Zuerker wrote: > > Hey, > > Sorry for the late responses to my emails, things have been busy... > I'm hoping to complete this in the next couple of weeks, but can't > make any promises. > > Heiko > > Quoting Ma poubelle <the...@gm... <mailto:the...@gm...>>: > >> Thanks for your answer. >> >> Do you know approximately when you will release the 1.6.7. (just to >> planify >> our migration) >> >> Thanks a lot for your great job >> >> Regards >> >> |