Menu
▾
▴
Re: [Devil-Linux-discuss] Shell shock bash fix
|
From: Heiko Z. <he...@zu...> - 2014-10-11 18:10:22
|
The latest and greatest test build is in the testing directory now. If everything goes well, this will become the official 1.6.6. Heiko Quoting Heiko Zuerker <he...@zu...>: > Another bash patch came out. I added it to CVS. > > Heiko > > Quoting Dominic Raferd <do...@ti...>: > >> The new version passes both those bash shellshock tests, thanks Heiko. >> >> I have solved my boot-from-USB issue. I have worked around the locked >> CD/DVD drive issue by adding this to /etc/init.d/boot.local: >> >> # if running from ram or not booting from CD/DVD, and CD/DVD drive is >> locked, unlock it >> [ -f /shm/dl_run_from_ram -o -z "$(grep -E "^/dev/(cdrom|sr)" >> /shm/DL_DEVICE)" ] && [ "$(cat /proc/sys/dev/cdrom/lock 2>/dev/null)" = >> "1" ] && echo 0 >/proc/sys/dev/cdrom/lock >> >> Sadly udev doesn't detect disks being inserted or removed, maybe this is >> because DL lacks 'udisks', so after a physical load I have to execute >> CLI mount, and similarly umount is required to eject a disk (the eject >> button doesn't work if the disk is mounted). (DL also lacks the 'eject' >> command BTW.) >> >> Dominic >> >> On 06/10/2014 14:14, Heiko Zuerker wrote: >>> I'm uploading the latest and greatest build right now. >>> It includes the latest bash patches and a couple of other software updates. >>> The upload should be finished in latest in 2-3 hours from the time I >>> sent this email. >>> >>> Let me know how the testing goes. >>> >>> Heiko >>> >>> Quoting Dominic Raferd <do...@ti...>: >>> >>>> 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 >>>> and CVE-2014-7187, sorry. >>>> >>>> Dominic >>>> >>>> On 04/10/2014 14:03, hz wrote: >>>>> Another patch was released. It's in CVS already. >>>>> >>>>> Best Regards >>>>> Heiko Zuerker >>>>> >>>>> -----Original Message----- >>>>> From: hz [mailto:he...@zu...] >>>>> Sent: Friday, October 03, 2014 8:01 AM >>>>> To: dev...@li... >>>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>>> >>>>> I'm uploading the latest build into the testing folder, should be done >>>> in a >>>>> couple of hours. >>>>> Let me know how it looks. >>>>> >>>>> Any suggestions on how long we should wait to see if another bash patch >>>>> comes out, before I officially release 1.6.6? >>>>> >>>>> Heiko >>>>> >>>>> -----Original Message----- >>>>> From: Heiko Zuerker [mailto:he...@zu...] >>>>> Sent: Thursday, October 02, 2014 3:44 PM >>>>> To: dev...@li... >>>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>>> >>>>> The latest patch is in CVS now. >>>>> I'm booting my firewall from a USB stick and have no issues with it. >>>>> >>>>> I think there's one piece that prevents us from unmounting the disk >>>>> completely. If I remember correctly, it's part of the initrd script if >>>> you >>>>> want to dig around. >>>>> >>>>> Heiko >>>>> >>>>> Quoting Dominic Raferd <do...@ti...>: >>>>> >>>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>>> gotta keep an eye on that for a bit. >>>>>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>>>>> and >>>>>> CVE-2014-7187 - tests at >>>>>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>>>>> patches for bash 4.2 to fix this are at >>>>>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>>>>> >>>>>> Off topic sorry, but since we are looking to a new release of DL: >>>>>> >>>>>> 1. I have had a problem for the last year or two that I cannot get any >>>>>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>>>>> I admit has some security advantages). I have assumed this is >>>>>> something to do with my motherboard/BIOS settings (though I have >>>>>> tweaked these without success), but I wondered if anyone else has had >>>>>> the same difficulties? I have tried with both Syslinux and Grub boot >>>>> loaders. >>>>>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>>>>> even if I have chosen to load and run the system from RAM - i.e. the >>>>>> eject button on the drive does not work. Is this by design? It >>>>>> certainly makes upgrading more of a faff, because I can only change >>>>>> the disk after the machine reboots, and then the machine usually has >>>>>> to be physically rebooted again to get the new disk to boot. >>>>>> >>>>>> Dominic >>>>>> >>>>>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>>>>> Seems good. Many thanks. >>>>>>> >>>>>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>>>>> :;}; echo vulnerable' bash -c "echo test" >>>>>>> test >>>>>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>>>>> "echo date"; cat /tmp/echo date >>>>>>> cat: /tmp/echo: No such file or directory >>>>>>> >>>>>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>>>>> The compile finished successfully last night and I'm uploading into >>>>>>>> the testing folder right now. >>>>>>>> It'll take a couple hours for it to complete. >>>>>>>> >>>>>>>> Please test and let me know if you confirm that the bug is resolved. >>>>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>>>> gotta keep an eye on that for a bit. >>>>>>>> >>>>>>>> Heiko >>>>>>>> >>>>>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>>>>> >>>>>>>>> The latest patches are in CVS, we'll see how the compile tonight >>>> goes. >>>>>>>>> Regards >>>>>>>>> Heiko Zuerker >>>>>>>>> >>>>>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>>>>> <do...@ti...> wrote: >>>>>>>>>> >>>>>>>>>> Hope you had a good break Heiko! >>>>>>>>>> >>>>>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>>>>> least in the meantime bash source has been better patched by those >>>>>>>>>> good redhat people >>>>>>>>>> >>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 >>>> 15 >>>>> /... >>>>>>>>>> Dominic >>>>>>>>>> >>>>>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>>>>> patch >>>>> yet? >>>>>>>>>>> Heiko >>>>>>>>>>> >>>>>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>>>>> >>>>>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>>>>> shock bug asap >>>>>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>>>>> >>>>>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>>>> -------------- >>>>>>>>>>>> >>>>>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>>>>> EventLog Analyzer >>>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>>>>> /ostg.clktrk >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>>>> Dev...@li... >>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>>>> ------------------------------------------------------------------ >>>>>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>>>>> stg.clktrk _______________________________________________ >>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>> Dev...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>>> ------------------------------------------------------------------- >>>>>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>>>>> with EventLog Analyzer >>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>>>>> tg.clktrk _______________________________________________ >>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>> Dev...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>> --------------------------------------------------------------------- >>>>>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>> EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>>>>> .clktrk _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> ---------------------------------------------------------------------- >>>>>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>> EventLog Analyzer >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>>>>> clktrk _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> >>>> >>>> -------------------------------------------------------------------------- >>>> ---- >>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt >>>> rk >>>> _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > > -- > > Regards > Heiko Zuerker > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |