Menu
▾
▴
devil-linux-discuss — General Mailing List for all discussions
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(59) |
Sep
(57) |
Oct
(5) |
Nov
(45) |
Dec
(21) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(13) |
Feb
(22) |
Mar
(14) |
Apr
(7) |
May
(33) |
Jun
(57) |
Jul
(25) |
Aug
(40) |
Sep
(53) |
Oct
(58) |
Nov
(75) |
Dec
(22) |
| 2003 |
Jan
(101) |
Feb
(101) |
Mar
(103) |
Apr
(125) |
May
(85) |
Jun
(57) |
Jul
(62) |
Aug
(42) |
Sep
(76) |
Oct
(214) |
Nov
(290) |
Dec
(274) |
| 2004 |
Jan
(187) |
Feb
(172) |
Mar
(313) |
Apr
(209) |
May
(169) |
Jun
(147) |
Jul
(118) |
Aug
(193) |
Sep
(227) |
Oct
(125) |
Nov
(246) |
Dec
(191) |
| 2005 |
Jan
(244) |
Feb
(175) |
Mar
(165) |
Apr
(130) |
May
(217) |
Jun
(122) |
Jul
(188) |
Aug
(235) |
Sep
(165) |
Oct
(133) |
Nov
(209) |
Dec
(88) |
| 2006 |
Jan
(66) |
Feb
(89) |
Mar
(108) |
Apr
(91) |
May
(29) |
Jun
(45) |
Jul
(64) |
Aug
(42) |
Sep
(44) |
Oct
(81) |
Nov
(64) |
Dec
(9) |
| 2007 |
Jan
(24) |
Feb
(122) |
Mar
(55) |
Apr
(50) |
May
(84) |
Jun
(13) |
Jul
(80) |
Aug
(70) |
Sep
(78) |
Oct
(45) |
Nov
(56) |
Dec
(42) |
| 2008 |
Jan
(65) |
Feb
(3) |
Mar
(51) |
Apr
(151) |
May
(54) |
Jun
(72) |
Jul
(73) |
Aug
(47) |
Sep
(55) |
Oct
(123) |
Nov
(16) |
Dec
(4) |
| 2009 |
Jan
(23) |
Feb
(39) |
Mar
(27) |
Apr
(36) |
May
(35) |
Jun
(51) |
Jul
(11) |
Aug
(14) |
Sep
(40) |
Oct
(67) |
Nov
(38) |
Dec
(13) |
| 2010 |
Jan
(15) |
Feb
(35) |
Mar
(40) |
Apr
(11) |
May
(26) |
Jun
(10) |
Jul
(5) |
Aug
(50) |
Sep
(86) |
Oct
(67) |
Nov
(36) |
Dec
(11) |
| 2011 |
Jan
(50) |
Feb
(6) |
Mar
(13) |
Apr
(13) |
May
(29) |
Jun
(27) |
Jul
(26) |
Aug
(27) |
Sep
(21) |
Oct
(7) |
Nov
(27) |
Dec
(4) |
| 2012 |
Jan
(11) |
Feb
(20) |
Mar
(48) |
Apr
(18) |
May
(8) |
Jun
(19) |
Jul
|
Aug
(15) |
Sep
(3) |
Oct
(4) |
Nov
(5) |
Dec
(1) |
| 2013 |
Jan
(13) |
Feb
(7) |
Mar
(4) |
Apr
(25) |
May
(2) |
Jun
(8) |
Jul
(4) |
Aug
(8) |
Sep
(7) |
Oct
|
Nov
(5) |
Dec
(10) |
| 2014 |
Jan
|
Feb
|
Mar
(6) |
Apr
(20) |
May
(5) |
Jun
|
Jul
(2) |
Aug
|
Sep
(8) |
Oct
(21) |
Nov
(4) |
Dec
(7) |
| 2015 |
Jan
(10) |
Feb
(9) |
Mar
(4) |
Apr
|
May
|
Jun
|
Jul
|
Aug
(5) |
Sep
(11) |
Oct
|
Nov
(17) |
Dec
(32) |
| 2016 |
Jan
(10) |
Feb
(15) |
Mar
(4) |
Apr
(7) |
May
(10) |
Jun
(11) |
Jul
(15) |
Aug
(26) |
Sep
(13) |
Oct
(10) |
Nov
(16) |
Dec
(6) |
| 2017 |
Jan
(9) |
Feb
(3) |
Mar
|
Apr
(2) |
May
(2) |
Jun
|
Jul
|
Aug
(3) |
Sep
(3) |
Oct
(6) |
Nov
(8) |
Dec
|
| 2018 |
Jan
(12) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Dominic R. <do...@ti...> - 2014-10-12 06:17:52
|
Thanks Heiko, I'm now running this. I'm still investigating the Samba issue. I attach a patch for install-on-usb which allows it to be run (with warning) to the installation device if you are running from ram. It works, and means I don't have to be physically present to run an upgrade. Dominic On 11/10/2014 19:10, Heiko Zuerker wrote: > The latest and greatest test build is in the testing directory now. > If everything goes well, this will become the official 1.6.6. > > Heiko > > Quoting Heiko Zuerker <he...@zu...>: > >> Another bash patch came out. I added it to CVS. >> >> Heiko >> >> Quoting Dominic Raferd <do...@ti...>: >> >>> The new version passes both those bash shellshock tests, thanks Heiko. >>> >>> I have solved my boot-from-USB issue. I have worked around the locked >>> CD/DVD drive issue by adding this to /etc/init.d/boot.local: >>> >>> # if running from ram or not booting from CD/DVD, and CD/DVD drive is >>> locked, unlock it >>> [ -f /shm/dl_run_from_ram -o -z "$(grep -E "^/dev/(cdrom|sr)" >>> /shm/DL_DEVICE)" ] && [ "$(cat /proc/sys/dev/cdrom/lock 2>/dev/null)" = >>> "1" ] && echo 0 >/proc/sys/dev/cdrom/lock >>> >>> Sadly udev doesn't detect disks being inserted or removed, maybe this is >>> because DL lacks 'udisks', so after a physical load I have to execute >>> CLI mount, and similarly umount is required to eject a disk (the eject >>> button doesn't work if the disk is mounted). (DL also lacks the 'eject' >>> command BTW.) >>> >>> Dominic >>> >>> On 06/10/2014 14:14, Heiko Zuerker wrote: >>>> I'm uploading the latest and greatest build right now. >>>> It includes the latest bash patches and a couple of other software updates. >>>> The upload should be finished in latest in 2-3 hours from the time I >>>> sent this email. >>>> >>>> Let me know how the testing goes. >>>> >>>> Heiko >>>> >>>> Quoting Dominic Raferd <do...@ti...>: >>>> >>>>> 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 >>>>> and CVE-2014-7187, sorry. >>>>> >>>>> Dominic >>>>> >>>>> On 04/10/2014 14:03, hz wrote: >>>>>> Another patch was released. It's in CVS already. >>>>>> >>>>>> Best Regards >>>>>> Heiko Zuerker >>>>>> >>>>>> -----Original Message----- >>>>>> From: hz [mailto:he...@zu...] >>>>>> Sent: Friday, October 03, 2014 8:01 AM >>>>>> To: dev...@li... >>>>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>>>> >>>>>> I'm uploading the latest build into the testing folder, should be done >>>>> in a >>>>>> couple of hours. >>>>>> Let me know how it looks. >>>>>> >>>>>> Any suggestions on how long we should wait to see if another bash patch >>>>>> comes out, before I officially release 1.6.6? >>>>>> >>>>>> Heiko >>>>>> >>>>>> -----Original Message----- >>>>>> From: Heiko Zuerker [mailto:he...@zu...] >>>>>> Sent: Thursday, October 02, 2014 3:44 PM >>>>>> To: dev...@li... >>>>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>>>> >>>>>> The latest patch is in CVS now. >>>>>> I'm booting my firewall from a USB stick and have no issues with it. >>>>>> >>>>>> I think there's one piece that prevents us from unmounting the disk >>>>>> completely. If I remember correctly, it's part of the initrd script if >>>>> you >>>>>> want to dig around. >>>>>> >>>>>> Heiko >>>>>> >>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>> >>>>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>>>> gotta keep an eye on that for a bit. >>>>>>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>>>>>> and >>>>>>> CVE-2014-7187 - tests at >>>>>>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>>>>>> patches for bash 4.2 to fix this are at >>>>>>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>>>>>> >>>>>>> Off topic sorry, but since we are looking to a new release of DL: >>>>>>> >>>>>>> 1. I have had a problem for the last year or two that I cannot get any >>>>>>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>>>>>> I admit has some security advantages). I have assumed this is >>>>>>> something to do with my motherboard/BIOS settings (though I have >>>>>>> tweaked these without success), but I wondered if anyone else has had >>>>>>> the same difficulties? I have tried with both Syslinux and Grub boot >>>>>> loaders. >>>>>>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>>>>>> even if I have chosen to load and run the system from RAM - i.e. the >>>>>>> eject button on the drive does not work. Is this by design? It >>>>>>> certainly makes upgrading more of a faff, because I can only change >>>>>>> the disk after the machine reboots, and then the machine usually has >>>>>>> to be physically rebooted again to get the new disk to boot. >>>>>>> >>>>>>> Dominic >>>>>>> >>>>>>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>>>>>> Seems good. Many thanks. >>>>>>>> >>>>>>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>>>>>> :;}; echo vulnerable' bash -c "echo test" >>>>>>>> test >>>>>>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>>>>>> "echo date"; cat /tmp/echo date >>>>>>>> cat: /tmp/echo: No such file or directory >>>>>>>> >>>>>>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>>>>>> The compile finished successfully last night and I'm uploading into >>>>>>>>> the testing folder right now. >>>>>>>>> It'll take a couple hours for it to complete. >>>>>>>>> >>>>>>>>> Please test and let me know if you confirm that the bug is resolved. >>>>>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>>>>> gotta keep an eye on that for a bit. >>>>>>>>> >>>>>>>>> Heiko >>>>>>>>> >>>>>>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>>>>>> >>>>>>>>>> The latest patches are in CVS, we'll see how the compile tonight >>>>> goes. >>>>>>>>>> Regards >>>>>>>>>> Heiko Zuerker >>>>>>>>>> >>>>>>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>>>>>> <do...@ti...> wrote: >>>>>>>>>>> >>>>>>>>>>> Hope you had a good break Heiko! >>>>>>>>>>> >>>>>>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>>>>>> least in the meantime bash source has been better patched by those >>>>>>>>>>> good redhat people >>>>>>>>>>> >>>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 >>>>> 15 >>>>>> /... >>>>>>>>>>> Dominic >>>>>>>>>>> >>>>>>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>>>>>> patch >>>>>> yet? >>>>>>>>>>>> Heiko >>>>>>>>>>>> >>>>>>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>>>>>> >>>>>>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>>>>>> shock bug asap >>>>>>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>>>>> -------------- >>>>>>>>>>>>> >>>>>>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>>>>>> EventLog Analyzer >>>>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>>>>>> /ostg.clktrk >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>>>>> Dev...@li... >>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>>>>> ------------------------------------------------------------------ >>>>>>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>>>>>> stg.clktrk _______________________________________________ >>>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>>> Dev...@li... >>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>>>> ------------------------------------------------------------------- >>>>>>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>>>>>> with EventLog Analyzer >>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>>>>>> tg.clktrk _______________________________________________ >>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>> Dev...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>> --------------------------------------------------------------------- >>>>>>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>> EventLog Analyzer >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>>>>>> .clktrk _______________________________________________ >>>>>>>> Devil-linux-discuss mailing list >>>>>>>> Dev...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>> ---------------------------------------------------------------------- >>>>>>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>> EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>>>>>> clktrk _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> -------------------------------------------------------------------------- >>>>> ---- >>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt >>>>> rk >>>>> _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> >>> >>> ------------------------------------------------------------------------------ >>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> >> -- >> >> Regards >> Heiko Zuerker >> >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > -- *TimeDicer* <http://www.timedicer.co.uk>: Free File Recovery from Whenever |
|
From: Heiko Z. <he...@zu...> - 2014-10-11 18:10:22
|
The latest and greatest test build is in the testing directory now. If everything goes well, this will become the official 1.6.6. Heiko Quoting Heiko Zuerker <he...@zu...>: > Another bash patch came out. I added it to CVS. > > Heiko > > Quoting Dominic Raferd <do...@ti...>: > >> The new version passes both those bash shellshock tests, thanks Heiko. >> >> I have solved my boot-from-USB issue. I have worked around the locked >> CD/DVD drive issue by adding this to /etc/init.d/boot.local: >> >> # if running from ram or not booting from CD/DVD, and CD/DVD drive is >> locked, unlock it >> [ -f /shm/dl_run_from_ram -o -z "$(grep -E "^/dev/(cdrom|sr)" >> /shm/DL_DEVICE)" ] && [ "$(cat /proc/sys/dev/cdrom/lock 2>/dev/null)" = >> "1" ] && echo 0 >/proc/sys/dev/cdrom/lock >> >> Sadly udev doesn't detect disks being inserted or removed, maybe this is >> because DL lacks 'udisks', so after a physical load I have to execute >> CLI mount, and similarly umount is required to eject a disk (the eject >> button doesn't work if the disk is mounted). (DL also lacks the 'eject' >> command BTW.) >> >> Dominic >> >> On 06/10/2014 14:14, Heiko Zuerker wrote: >>> I'm uploading the latest and greatest build right now. >>> It includes the latest bash patches and a couple of other software updates. >>> The upload should be finished in latest in 2-3 hours from the time I >>> sent this email. >>> >>> Let me know how the testing goes. >>> >>> Heiko >>> >>> Quoting Dominic Raferd <do...@ti...>: >>> >>>> 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 >>>> and CVE-2014-7187, sorry. >>>> >>>> Dominic >>>> >>>> On 04/10/2014 14:03, hz wrote: >>>>> Another patch was released. It's in CVS already. >>>>> >>>>> Best Regards >>>>> Heiko Zuerker >>>>> >>>>> -----Original Message----- >>>>> From: hz [mailto:he...@zu...] >>>>> Sent: Friday, October 03, 2014 8:01 AM >>>>> To: dev...@li... >>>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>>> >>>>> I'm uploading the latest build into the testing folder, should be done >>>> in a >>>>> couple of hours. >>>>> Let me know how it looks. >>>>> >>>>> Any suggestions on how long we should wait to see if another bash patch >>>>> comes out, before I officially release 1.6.6? >>>>> >>>>> Heiko >>>>> >>>>> -----Original Message----- >>>>> From: Heiko Zuerker [mailto:he...@zu...] >>>>> Sent: Thursday, October 02, 2014 3:44 PM >>>>> To: dev...@li... >>>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>>> >>>>> The latest patch is in CVS now. >>>>> I'm booting my firewall from a USB stick and have no issues with it. >>>>> >>>>> I think there's one piece that prevents us from unmounting the disk >>>>> completely. If I remember correctly, it's part of the initrd script if >>>> you >>>>> want to dig around. >>>>> >>>>> Heiko >>>>> >>>>> Quoting Dominic Raferd <do...@ti...>: >>>>> >>>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>>> gotta keep an eye on that for a bit. >>>>>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>>>>> and >>>>>> CVE-2014-7187 - tests at >>>>>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>>>>> patches for bash 4.2 to fix this are at >>>>>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>>>>> >>>>>> Off topic sorry, but since we are looking to a new release of DL: >>>>>> >>>>>> 1. I have had a problem for the last year or two that I cannot get any >>>>>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>>>>> I admit has some security advantages). I have assumed this is >>>>>> something to do with my motherboard/BIOS settings (though I have >>>>>> tweaked these without success), but I wondered if anyone else has had >>>>>> the same difficulties? I have tried with both Syslinux and Grub boot >>>>> loaders. >>>>>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>>>>> even if I have chosen to load and run the system from RAM - i.e. the >>>>>> eject button on the drive does not work. Is this by design? It >>>>>> certainly makes upgrading more of a faff, because I can only change >>>>>> the disk after the machine reboots, and then the machine usually has >>>>>> to be physically rebooted again to get the new disk to boot. >>>>>> >>>>>> Dominic >>>>>> >>>>>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>>>>> Seems good. Many thanks. >>>>>>> >>>>>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>>>>> :;}; echo vulnerable' bash -c "echo test" >>>>>>> test >>>>>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>>>>> "echo date"; cat /tmp/echo date >>>>>>> cat: /tmp/echo: No such file or directory >>>>>>> >>>>>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>>>>> The compile finished successfully last night and I'm uploading into >>>>>>>> the testing folder right now. >>>>>>>> It'll take a couple hours for it to complete. >>>>>>>> >>>>>>>> Please test and let me know if you confirm that the bug is resolved. >>>>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>>>> gotta keep an eye on that for a bit. >>>>>>>> >>>>>>>> Heiko >>>>>>>> >>>>>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>>>>> >>>>>>>>> The latest patches are in CVS, we'll see how the compile tonight >>>> goes. >>>>>>>>> Regards >>>>>>>>> Heiko Zuerker >>>>>>>>> >>>>>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>>>>> <do...@ti...> wrote: >>>>>>>>>> >>>>>>>>>> Hope you had a good break Heiko! >>>>>>>>>> >>>>>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>>>>> least in the meantime bash source has been better patched by those >>>>>>>>>> good redhat people >>>>>>>>>> >>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 >>>> 15 >>>>> /... >>>>>>>>>> Dominic >>>>>>>>>> >>>>>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>>>>> patch >>>>> yet? >>>>>>>>>>> Heiko >>>>>>>>>>> >>>>>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>>>>> >>>>>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>>>>> shock bug asap >>>>>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>>>>> >>>>>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>>>> -------------- >>>>>>>>>>>> >>>>>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>>>>> EventLog Analyzer >>>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>>>>> /ostg.clktrk >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>>>> Dev...@li... >>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>>>> ------------------------------------------------------------------ >>>>>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>>>>> stg.clktrk _______________________________________________ >>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>> Dev...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>>> ------------------------------------------------------------------- >>>>>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>>>>> with EventLog Analyzer >>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>>>>> tg.clktrk _______________________________________________ >>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>> Dev...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>> --------------------------------------------------------------------- >>>>>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>> EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>>>>> .clktrk _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> ---------------------------------------------------------------------- >>>>>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>> EventLog Analyzer >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>>>>> clktrk _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> >>>> >>>> -------------------------------------------------------------------------- >>>> ---- >>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt >>>> rk >>>> _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > > -- > > Regards > Heiko Zuerker > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
|
From: Heiko Z. <he...@zu...> - 2014-10-10 15:49:59
|
I don't really want to downgrade samba for everybody. Don't you build your own DL (don't remember)? If yes, then simply replace the samba sources. Heiko Quoting Dominic Raferd <do...@ti...>: > I believe I have found (and I have reported upstream) a bug in Samba > 4.1.7+ which causes very slow connections for DOS-based clients. Is > there any chance of reverting DL 1.6.6 back to Samba 4.1.6 (or 4.1.5) > instead of 4.1.12? > > Dominic > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
|
From: Dominic R. <do...@ti...> - 2014-10-10 13:29:07
|
I believe I have found (and I have reported upstream) a bug in Samba 4.1.7+ which causes very slow connections for DOS-based clients. Is there any chance of reverting DL 1.6.6 back to Samba 4.1.6 (or 4.1.5) instead of 4.1.12? Dominic |
|
From: Heiko Z. <he...@zu...> - 2014-10-10 12:57:50
|
Cameron, The version in the testing folder has the fix included, in addition to the shell shock patches: ftp://ftp.devil-linux.org/pub/devel/testing This is pretty much the same as the official 1.6.6 will be, except one bash patch is missing. Once my nightly build works again, I'll upload that one also. Heiko Quoting cdmiller <cdm...@ad...>: > Does this bug exist in the current release of Devil Linux kernel? > > Same as mentioned here: > http://lists.openwall.net/netdev/2014/06/10/108 > > and here: > https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1337281 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754173 > > Reason I ask is we saw similar behavior (extreme slow down) recently on > outbound traffic for a NAT interface we set up on our Devil-Linux firewall. > > This was on Devil-Linux 1.6.2-i686 with 3.2.26-grsec. > > Thanks, > > - cameron > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
|
From: cdmiller <cdm...@ad...> - 2014-10-09 22:03:56
|
Does this bug exist in the current release of Devil Linux kernel? Same as mentioned here: http://lists.openwall.net/netdev/2014/06/10/108 and here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1337281 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754173 Reason I ask is we saw similar behavior (extreme slow down) recently on outbound traffic for a NAT interface we set up on our Devil-Linux firewall. This was on Devil-Linux 1.6.2-i686 with 3.2.26-grsec. Thanks, - cameron |
|
From: Heiko Z. <he...@zu...> - 2014-10-08 12:39:58
|
Another bash patch came out. I added it to CVS. Heiko Quoting Dominic Raferd <do...@ti...>: > The new version passes both those bash shellshock tests, thanks Heiko. > > I have solved my boot-from-USB issue. I have worked around the locked > CD/DVD drive issue by adding this to /etc/init.d/boot.local: > > # if running from ram or not booting from CD/DVD, and CD/DVD drive is > locked, unlock it > [ -f /shm/dl_run_from_ram -o -z "$(grep -E "^/dev/(cdrom|sr)" > /shm/DL_DEVICE)" ] && [ "$(cat /proc/sys/dev/cdrom/lock 2>/dev/null)" = > "1" ] && echo 0 >/proc/sys/dev/cdrom/lock > > Sadly udev doesn't detect disks being inserted or removed, maybe this is > because DL lacks 'udisks', so after a physical load I have to execute > CLI mount, and similarly umount is required to eject a disk (the eject > button doesn't work if the disk is mounted). (DL also lacks the 'eject' > command BTW.) > > Dominic > > On 06/10/2014 14:14, Heiko Zuerker wrote: >> I'm uploading the latest and greatest build right now. >> It includes the latest bash patches and a couple of other software updates. >> The upload should be finished in latest in 2-3 hours from the time I >> sent this email. >> >> Let me know how the testing goes. >> >> Heiko >> >> Quoting Dominic Raferd <do...@ti...>: >> >>> 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 >>> and CVE-2014-7187, sorry. >>> >>> Dominic >>> >>> On 04/10/2014 14:03, hz wrote: >>>> Another patch was released. It's in CVS already. >>>> >>>> Best Regards >>>> Heiko Zuerker >>>> >>>> -----Original Message----- >>>> From: hz [mailto:he...@zu...] >>>> Sent: Friday, October 03, 2014 8:01 AM >>>> To: dev...@li... >>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>> >>>> I'm uploading the latest build into the testing folder, should be done >>> in a >>>> couple of hours. >>>> Let me know how it looks. >>>> >>>> Any suggestions on how long we should wait to see if another bash patch >>>> comes out, before I officially release 1.6.6? >>>> >>>> Heiko >>>> >>>> -----Original Message----- >>>> From: Heiko Zuerker [mailto:he...@zu...] >>>> Sent: Thursday, October 02, 2014 3:44 PM >>>> To: dev...@li... >>>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>>> >>>> The latest patch is in CVS now. >>>> I'm booting my firewall from a USB stick and have no issues with it. >>>> >>>> I think there's one piece that prevents us from unmounting the disk >>>> completely. If I remember correctly, it's part of the initrd script if >>> you >>>> want to dig around. >>>> >>>> Heiko >>>> >>>> Quoting Dominic Raferd <do...@ti...>: >>>> >>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>> gotta keep an eye on that for a bit. >>>>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>>>> and >>>>> CVE-2014-7187 - tests at >>>>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>>>> patches for bash 4.2 to fix this are at >>>>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>>>> >>>>> Off topic sorry, but since we are looking to a new release of DL: >>>>> >>>>> 1. I have had a problem for the last year or two that I cannot get any >>>>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>>>> I admit has some security advantages). I have assumed this is >>>>> something to do with my motherboard/BIOS settings (though I have >>>>> tweaked these without success), but I wondered if anyone else has had >>>>> the same difficulties? I have tried with both Syslinux and Grub boot >>>> loaders. >>>>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>>>> even if I have chosen to load and run the system from RAM - i.e. the >>>>> eject button on the drive does not work. Is this by design? It >>>>> certainly makes upgrading more of a faff, because I can only change >>>>> the disk after the machine reboots, and then the machine usually has >>>>> to be physically rebooted again to get the new disk to boot. >>>>> >>>>> Dominic >>>>> >>>>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>>>> Seems good. Many thanks. >>>>>> >>>>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>>>> :;}; echo vulnerable' bash -c "echo test" >>>>>> test >>>>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>>>> "echo date"; cat /tmp/echo date >>>>>> cat: /tmp/echo: No such file or directory >>>>>> >>>>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>>>> The compile finished successfully last night and I'm uploading into >>>>>>> the testing folder right now. >>>>>>> It'll take a couple hours for it to complete. >>>>>>> >>>>>>> Please test and let me know if you confirm that the bug is resolved. >>>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>>> gotta keep an eye on that for a bit. >>>>>>> >>>>>>> Heiko >>>>>>> >>>>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>>>> >>>>>>>> The latest patches are in CVS, we'll see how the compile tonight >>> goes. >>>>>>>> Regards >>>>>>>> Heiko Zuerker >>>>>>>> >>>>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>>>> <do...@ti...> wrote: >>>>>>>>> >>>>>>>>> Hope you had a good break Heiko! >>>>>>>>> >>>>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>>>> least in the meantime bash source has been better patched by those >>>>>>>>> good redhat people >>>>>>>>> >>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 >>> 15 >>>> /... >>>>>>>>> Dominic >>>>>>>>> >>>>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>>>> patch >>>> yet? >>>>>>>>>> Heiko >>>>>>>>>> >>>>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>>>> >>>>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>>>> shock bug asap >>>>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>>>> >>>>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>>> -------------- >>>>>>>>>>> >>>>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>>>> EventLog Analyzer >>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>>>> /ostg.clktrk >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>>> Dev...@li... >>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>>> ------------------------------------------------------------------ >>>>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>>>> stg.clktrk _______________________________________________ >>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>> Dev...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>> ------------------------------------------------------------------- >>>>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>>>> with EventLog Analyzer >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>>>> tg.clktrk _______________________________________________ >>>>>>>> Devil-linux-discuss mailing list >>>>>>>> Dev...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> --------------------------------------------------------------------- >>>>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>> EventLog Analyzer >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>>>> .clktrk _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> ---------------------------------------------------------------------- >>>>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>> EventLog Analyzer >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>>>> clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> >>> >>> -------------------------------------------------------------------------- >>> ---- >>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt >>> rk >>> _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
|
From: Dominic R. <do...@ti...> - 2014-10-07 11:34:28
|
The new version passes both those bash shellshock tests, thanks Heiko. I have solved my boot-from-USB issue. I have worked around the locked CD/DVD drive issue by adding this to /etc/init.d/boot.local: # if running from ram or not booting from CD/DVD, and CD/DVD drive is locked, unlock it [ -f /shm/dl_run_from_ram -o -z "$(grep -E "^/dev/(cdrom|sr)" /shm/DL_DEVICE)" ] && [ "$(cat /proc/sys/dev/cdrom/lock 2>/dev/null)" = "1" ] && echo 0 >/proc/sys/dev/cdrom/lock Sadly udev doesn't detect disks being inserted or removed, maybe this is because DL lacks 'udisks', so after a physical load I have to execute CLI mount, and similarly umount is required to eject a disk (the eject button doesn't work if the disk is mounted). (DL also lacks the 'eject' command BTW.) Dominic On 06/10/2014 14:14, Heiko Zuerker wrote: > I'm uploading the latest and greatest build right now. > It includes the latest bash patches and a couple of other software updates. > The upload should be finished in latest in 2-3 hours from the time I > sent this email. > > Let me know how the testing goes. > > Heiko > > Quoting Dominic Raferd <do...@ti...>: > >> 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 >> and CVE-2014-7187, sorry. >> >> Dominic >> >> On 04/10/2014 14:03, hz wrote: >>> Another patch was released. It's in CVS already. >>> >>> Best Regards >>> Heiko Zuerker >>> >>> -----Original Message----- >>> From: hz [mailto:he...@zu...] >>> Sent: Friday, October 03, 2014 8:01 AM >>> To: dev...@li... >>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>> >>> I'm uploading the latest build into the testing folder, should be done >> in a >>> couple of hours. >>> Let me know how it looks. >>> >>> Any suggestions on how long we should wait to see if another bash patch >>> comes out, before I officially release 1.6.6? >>> >>> Heiko >>> >>> -----Original Message----- >>> From: Heiko Zuerker [mailto:he...@zu...] >>> Sent: Thursday, October 02, 2014 3:44 PM >>> To: dev...@li... >>> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >>> >>> The latest patch is in CVS now. >>> I'm booting my firewall from a USB stick and have no issues with it. >>> >>> I think there's one piece that prevents us from unmounting the disk >>> completely. If I remember correctly, it's part of the initrd script if >> you >>> want to dig around. >>> >>> Heiko >>> >>> Quoting Dominic Raferd <do...@ti...>: >>> >>>>> It seems that they keep finding issues in bash right now, so we'll >>>>> gotta keep an eye on that for a bit. >>>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>>> and >>>> CVE-2014-7187 - tests at >>>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>>> patches for bash 4.2 to fix this are at >>>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>>> >>>> Off topic sorry, but since we are looking to a new release of DL: >>>> >>>> 1. I have had a problem for the last year or two that I cannot get any >>>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>>> I admit has some security advantages). I have assumed this is >>>> something to do with my motherboard/BIOS settings (though I have >>>> tweaked these without success), but I wondered if anyone else has had >>>> the same difficulties? I have tried with both Syslinux and Grub boot >>> loaders. >>>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>>> even if I have chosen to load and run the system from RAM - i.e. the >>>> eject button on the drive does not work. Is this by design? It >>>> certainly makes upgrading more of a faff, because I can only change >>>> the disk after the machine reboots, and then the machine usually has >>>> to be physically rebooted again to get the new disk to boot. >>>> >>>> Dominic >>>> >>>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>>> Seems good. Many thanks. >>>>> >>>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>>> :;}; echo vulnerable' bash -c "echo test" >>>>> test >>>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>>> "echo date"; cat /tmp/echo date >>>>> cat: /tmp/echo: No such file or directory >>>>> >>>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>>> The compile finished successfully last night and I'm uploading into >>>>>> the testing folder right now. >>>>>> It'll take a couple hours for it to complete. >>>>>> >>>>>> Please test and let me know if you confirm that the bug is resolved. >>>>>> It seems that they keep finding issues in bash right now, so we'll >>>>>> gotta keep an eye on that for a bit. >>>>>> >>>>>> Heiko >>>>>> >>>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>>> >>>>>>> The latest patches are in CVS, we'll see how the compile tonight >> goes. >>>>>>> Regards >>>>>>> Heiko Zuerker >>>>>>> >>>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>>> <do...@ti...> wrote: >>>>>>>> >>>>>>>> Hope you had a good break Heiko! >>>>>>>> >>>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>>> least in the meantime bash source has been better patched by those >>>>>>>> good redhat people >>>>>>>> >> http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 >> 15 >>> /... >>>>>>>> Dominic >>>>>>>> >>>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>>> patch >>> yet? >>>>>>>>> Heiko >>>>>>>>> >>>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>>> >>>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>>> shock bug asap >>>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>>> >>>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>> -------------- >>>>>>>>>> >>>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>>> EventLog Analyzer >>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>>> /ostg.clktrk >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>>> Dev...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>>> ------------------------------------------------------------------ >>>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>>> stg.clktrk _______________________________________________ >>>>>>>> Devil-linux-discuss mailing list >>>>>>>> Dev...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>> ------------------------------------------------------------------- >>>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>>> with EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>>> tg.clktrk _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> --------------------------------------------------------------------- >>>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>> EventLog Analyzer >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>>> .clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> ---------------------------------------------------------------------- >>>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>> EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>>> clktrk _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >> >> -------------------------------------------------------------------------- >> ---- >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt >> rk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > |
|
From: Heiko Z. <he...@zu...> - 2014-10-06 13:14:36
|
I'm uploading the latest and greatest build right now. It includes the latest bash patches and a couple of other software updates. The upload should be finished in latest in 2-3 hours from the time I sent this email. Let me know how the testing goes. Heiko Quoting Dominic Raferd <do...@ti...>: > 1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 > and CVE-2014-7187, sorry. > > Dominic > > On 04/10/2014 14:03, hz wrote: >> Another patch was released. It's in CVS already. >> >> Best Regards >> Heiko Zuerker >> >> -----Original Message----- >> From: hz [mailto:he...@zu...] >> Sent: Friday, October 03, 2014 8:01 AM >> To: dev...@li... >> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >> >> I'm uploading the latest build into the testing folder, should be done > in a >> couple of hours. >> Let me know how it looks. >> >> Any suggestions on how long we should wait to see if another bash patch >> comes out, before I officially release 1.6.6? >> >> Heiko >> >> -----Original Message----- >> From: Heiko Zuerker [mailto:he...@zu...] >> Sent: Thursday, October 02, 2014 3:44 PM >> To: dev...@li... >> Subject: Re: [Devil-Linux-discuss] Shell shock bash fix >> >> The latest patch is in CVS now. >> I'm booting my firewall from a USB stick and have no issues with it. >> >> I think there's one piece that prevents us from unmounting the disk >> completely. If I remember correctly, it's part of the initrd script if > you >> want to dig around. >> >> Heiko >> >> Quoting Dominic Raferd <do...@ti...>: >> >>>> It seems that they keep finding issues in bash right now, so we'll >>>> gotta keep an eye on that for a bit. >>> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >>> and >>> CVE-2014-7187 - tests at >>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >>> patches for bash 4.2 to fix this are at >>> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >>> >>> Off topic sorry, but since we are looking to a new release of DL: >>> >>> 1. I have had a problem for the last year or two that I cannot get any >>> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >>> I admit has some security advantages). I have assumed this is >>> something to do with my motherboard/BIOS settings (though I have >>> tweaked these without success), but I wondered if anyone else has had >>> the same difficulties? I have tried with both Syslinux and Grub boot >> loaders. >>> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >>> even if I have chosen to load and run the system from RAM - i.e. the >>> eject button on the drive does not work. Is this by design? It >>> certainly makes upgrading more of a faff, because I can only change >>> the disk after the machine reboots, and then the machine usually has >>> to be physically rebooted again to get the new disk to boot. >>> >>> Dominic >>> >>> On 30/09/2014 19:35, Dominic Raferd wrote: >>>> Seems good. Many thanks. >>>> >>>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>>> :;}; echo vulnerable' bash -c "echo test" >>>> test >>>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>>> "echo date"; cat /tmp/echo date >>>> cat: /tmp/echo: No such file or directory >>>> >>>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>>> The compile finished successfully last night and I'm uploading into >>>>> the testing folder right now. >>>>> It'll take a couple hours for it to complete. >>>>> >>>>> Please test and let me know if you confirm that the bug is resolved. >>>>> It seems that they keep finding issues in bash right now, so we'll >>>>> gotta keep an eye on that for a bit. >>>>> >>>>> Heiko >>>>> >>>>> Quoting Heiko Zuerker <he...@zu...>: >>>>> >>>>>> The latest patches are in CVS, we'll see how the compile tonight > goes. >>>>>> >>>>>> Regards >>>>>> Heiko Zuerker >>>>>> >>>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>>> <do...@ti...> wrote: >>>>>>> >>>>>>> Hope you had a good break Heiko! >>>>>>> >>>>>>> For DL, I haven't seen or heard of a patch, and >>>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>>> least in the meantime bash source has been better patched by those >>>>>>> good redhat people >>>>>>> >> > http://www.zdnet.com/shellshock-better-bash-patches-now-available-70000341 > 15 >> /... >>>>>>> Dominic >>>>>>> >>>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>>> patch >> yet? >>>>>>>> Heiko >>>>>>>> >>>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>>> >>>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>>> shock bug asap >>>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>>> Andrzej, Heiko, anyone? >>>>>>>>> >>>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>>> >>>>>>>>> >>>>>>>>> ---------------------------------------------------------------- >>>>>>>>> -------------- >>>>>>>>> >>>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>>> EventLog Analyzer >>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>>> /ostg.clktrk >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Devil-linux-discuss mailing list >>>>>>>>> Dev...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>>> ------------------------------------------------------------------ >>>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>>> stg.clktrk _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> ------------------------------------------------------------------- >>>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>>> with EventLog Analyzer >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>>> tg.clktrk _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> --------------------------------------------------------------------- >>>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>> EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>>> .clktrk _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >>> ---------------------------------------------------------------------- >>> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>> EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >>> clktrk _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> > > > -------------------------------------------------------------------------- > ---- > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt > rk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
|
From: Dominic R. <do...@ti...> - 2014-10-05 06:01:46
|
1.6.6 testing dated 3 Oct 2014 still fails the tests for CVE-2014-7186 and CVE-2014-7187, sorry. Dominic On 04/10/2014 14:03, hz wrote: > Another patch was released. It's in CVS already. > > Best Regards > Heiko Zuerker > > -----Original Message----- > From: hz [mailto:he...@zu...] > Sent: Friday, October 03, 2014 8:01 AM > To: dev...@li... > Subject: Re: [Devil-Linux-discuss] Shell shock bash fix > > I'm uploading the latest build into the testing folder, should be done in a > couple of hours. > Let me know how it looks. > > Any suggestions on how long we should wait to see if another bash patch > comes out, before I officially release 1.6.6? > > Heiko > > -----Original Message----- > From: Heiko Zuerker [mailto:he...@zu...] > Sent: Thursday, October 02, 2014 3:44 PM > To: dev...@li... > Subject: Re: [Devil-Linux-discuss] Shell shock bash fix > > The latest patch is in CVS now. > I'm booting my firewall from a USB stick and have no issues with it. > > I think there's one piece that prevents us from unmounting the disk > completely. If I remember correctly, it's part of the initrd script if you > want to dig around. > > Heiko > > Quoting Dominic Raferd <do...@ti...>: > >>> It seems that they keep finding issues in bash right now, so we'll >>> gotta keep an eye on that for a bit. >> You were not wrong! DL testing is still vulnerable to CVE-2014-7186 >> and >> CVE-2014-7187 - tests at >> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) >> patches for bash 4.2 to fix this are at >> http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. >> >> Off topic sorry, but since we are looking to a new release of DL: >> >> 1. I have had a problem for the last year or two that I cannot get any >> of my USB drives to boot DL, instead I have to boot via CD/DVD (which >> I admit has some security advantages). I have assumed this is >> something to do with my motherboard/BIOS settings (though I have >> tweaked these without success), but I wondered if anyone else has had >> the same difficulties? I have tried with both Syslinux and Grub boot > loaders. >> 2. If I boot from CD/DVD the CD/DVD drive remains physically locked >> even if I have chosen to load and run the system from RAM - i.e. the >> eject button on the drive does not work. Is this by design? It >> certainly makes upgrading more of a faff, because I can only change >> the disk after the machine reboots, and then the machine usually has >> to be physically rebooted again to get the new disk to boot. >> >> Dominic >> >> On 30/09/2014 19:35, Dominic Raferd wrote: >>> Seems good. Many thanks. >>> >>> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >>> :;}; echo vulnerable' bash -c "echo test" >>> test >>> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >>> "echo date"; cat /tmp/echo date >>> cat: /tmp/echo: No such file or directory >>> >>> On 30/09/2014 16:14, Heiko Zuerker wrote: >>>> The compile finished successfully last night and I'm uploading into >>>> the testing folder right now. >>>> It'll take a couple hours for it to complete. >>>> >>>> Please test and let me know if you confirm that the bug is resolved. >>>> It seems that they keep finding issues in bash right now, so we'll >>>> gotta keep an eye on that for a bit. >>>> >>>> Heiko >>>> >>>> Quoting Heiko Zuerker <he...@zu...>: >>>> >>>>> The latest patches are in CVS, we'll see how the compile tonight goes. >>>>> >>>>> Regards >>>>> Heiko Zuerker >>>>> >>>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>>> <do...@ti...> wrote: >>>>>> >>>>>> Hope you had a good break Heiko! >>>>>> >>>>>> For DL, I haven't seen or heard of a patch, and >>>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>>> least in the meantime bash source has been better patched by those >>>>>> good redhat people >>>>>> > http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115 > /... >>>>>> Dominic >>>>>> >>>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>>> I just came back from vacation. I assume nobody worked on the >>>>>>> patch > yet? >>>>>>> Heiko >>>>>>> >>>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>>> >>>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>>> shock bug asap >>>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>>> Andrzej, Heiko, anyone? >>>>>>>> >>>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>>> >>>>>>>> >>>>>>>> ---------------------------------------------------------------- >>>>>>>> -------------- >>>>>>>> >>>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>>> EventLog Analyzer >>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>>> /ostg.clktrk >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Devil-linux-discuss mailing list >>>>>>>> Dev...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> ------------------------------------------------------------------ >>>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>>> stg.clktrk _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> ------------------------------------------------------------------- >>>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>>> with EventLog Analyzer >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>>> tg.clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> --------------------------------------------------------------------- >>> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>> EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >>> .clktrk _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> ---------------------------------------------------------------------- >> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >> EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >> clktrk _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > |
|
From: hz <he...@zu...> - 2014-10-04 13:04:07
|
Another patch was released. It's in CVS already. Best Regards Heiko Zuerker -----Original Message----- From: hz [mailto:he...@zu...] Sent: Friday, October 03, 2014 8:01 AM To: dev...@li... Subject: Re: [Devil-Linux-discuss] Shell shock bash fix I'm uploading the latest build into the testing folder, should be done in a couple of hours. Let me know how it looks. Any suggestions on how long we should wait to see if another bash patch comes out, before I officially release 1.6.6? Heiko -----Original Message----- From: Heiko Zuerker [mailto:he...@zu...] Sent: Thursday, October 02, 2014 3:44 PM To: dev...@li... Subject: Re: [Devil-Linux-discuss] Shell shock bash fix The latest patch is in CVS now. I'm booting my firewall from a USB stick and have no issues with it. I think there's one piece that prevents us from unmounting the disk completely. If I remember correctly, it's part of the initrd script if you want to dig around. Heiko Quoting Dominic Raferd <do...@ti...>: >> It seems that they keep finding issues in bash right now, so we'll >> gotta keep an eye on that for a bit. > > You were not wrong! DL testing is still vulnerable to CVE-2014-7186 > and > CVE-2014-7187 - tests at > http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) > patches for bash 4.2 to fix this are at > http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. > > Off topic sorry, but since we are looking to a new release of DL: > > 1. I have had a problem for the last year or two that I cannot get any > of my USB drives to boot DL, instead I have to boot via CD/DVD (which > I admit has some security advantages). I have assumed this is > something to do with my motherboard/BIOS settings (though I have > tweaked these without success), but I wondered if anyone else has had > the same difficulties? I have tried with both Syslinux and Grub boot loaders. > > 2. If I boot from CD/DVD the CD/DVD drive remains physically locked > even if I have chosen to load and run the system from RAM - i.e. the > eject button on the drive does not work. Is this by design? It > certainly makes upgrading more of a faff, because I can only change > the disk after the machine reboots, and then the machine usually has > to be physically rebooted again to get the new disk to boot. > > Dominic > > On 30/09/2014 19:35, Dominic Raferd wrote: >> Seems good. Many thanks. >> >> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >> :;}; echo vulnerable' bash -c "echo test" >> test >> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >> "echo date"; cat /tmp/echo date >> cat: /tmp/echo: No such file or directory >> >> On 30/09/2014 16:14, Heiko Zuerker wrote: >>> The compile finished successfully last night and I'm uploading into >>> the testing folder right now. >>> It'll take a couple hours for it to complete. >>> >>> Please test and let me know if you confirm that the bug is resolved. >>> It seems that they keep finding issues in bash right now, so we'll >>> gotta keep an eye on that for a bit. >>> >>> Heiko >>> >>> Quoting Heiko Zuerker <he...@zu...>: >>> >>>> The latest patches are in CVS, we'll see how the compile tonight goes. >>>> >>>> Regards >>>> Heiko Zuerker >>>> >>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>> <do...@ti...> wrote: >>>>> >>>>> Hope you had a good break Heiko! >>>>> >>>>> For DL, I haven't seen or heard of a patch, and >>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>> least in the meantime bash source has been better patched by those >>>>> good redhat people >>>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115 /... >>>>> >>>>> Dominic >>>>> >>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>> I just came back from vacation. I assume nobody worked on the >>>>>> patch yet? >>>>>> >>>>>> Heiko >>>>>> >>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>> >>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>> shock bug asap >>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>> Andrzej, Heiko, anyone? >>>>>>> >>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>> >>>>>>> >>>>>>> ---------------------------------------------------------------- >>>>>>> -------------- >>>>>>> >>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>> EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>> /ostg.clktrk >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> >>>>> ------------------------------------------------------------------ >>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>> stg.clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> ------------------------------------------------------------------- >>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>> with EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>> tg.clktrk _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >> >> --------------------------------------------------------------------- >> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >> EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >> .clktrk _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > ---------------------------------------------------------------------- > -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog > Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI > DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download > White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with > EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. > clktrk _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker ---------------------------------------------------------------------------- -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Devil-linux-discuss mailing list Dev...@li... https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss ---------------------------------------------------------------------------- -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Devil-linux-discuss mailing list Dev...@li... https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
|
From: hz <he...@zu...> - 2014-10-03 13:01:21
|
I'm uploading the latest build into the testing folder, should be done in a couple of hours. Let me know how it looks. Any suggestions on how long we should wait to see if another bash patch comes out, before I officially release 1.6.6? Heiko -----Original Message----- From: Heiko Zuerker [mailto:he...@zu...] Sent: Thursday, October 02, 2014 3:44 PM To: dev...@li... Subject: Re: [Devil-Linux-discuss] Shell shock bash fix The latest patch is in CVS now. I'm booting my firewall from a USB stick and have no issues with it. I think there's one piece that prevents us from unmounting the disk completely. If I remember correctly, it's part of the initrd script if you want to dig around. Heiko Quoting Dominic Raferd <do...@ti...>: >> It seems that they keep finding issues in bash right now, so we'll >> gotta keep an eye on that for a bit. > > You were not wrong! DL testing is still vulnerable to CVE-2014-7186 > and > CVE-2014-7187 - tests at > http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) > patches for bash 4.2 to fix this are at > http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. > > Off topic sorry, but since we are looking to a new release of DL: > > 1. I have had a problem for the last year or two that I cannot get any > of my USB drives to boot DL, instead I have to boot via CD/DVD (which > I admit has some security advantages). I have assumed this is > something to do with my motherboard/BIOS settings (though I have > tweaked these without success), but I wondered if anyone else has had > the same difficulties? I have tried with both Syslinux and Grub boot loaders. > > 2. If I boot from CD/DVD the CD/DVD drive remains physically locked > even if I have chosen to load and run the system from RAM - i.e. the > eject button on the drive does not work. Is this by design? It > certainly makes upgrading more of a faff, because I can only change > the disk after the machine reboots, and then the machine usually has > to be physically rebooted again to get the new disk to boot. > > Dominic > > On 30/09/2014 19:35, Dominic Raferd wrote: >> Seems good. Many thanks. >> >> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { >> :;}; echo vulnerable' bash -c "echo test" >> test >> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c >> "echo date"; cat /tmp/echo date >> cat: /tmp/echo: No such file or directory >> >> On 30/09/2014 16:14, Heiko Zuerker wrote: >>> The compile finished successfully last night and I'm uploading into >>> the testing folder right now. >>> It'll take a couple hours for it to complete. >>> >>> Please test and let me know if you confirm that the bug is resolved. >>> It seems that they keep finding issues in bash right now, so we'll >>> gotta keep an eye on that for a bit. >>> >>> Heiko >>> >>> Quoting Heiko Zuerker <he...@zu...>: >>> >>>> The latest patches are in CVS, we'll see how the compile tonight goes. >>>> >>>> Regards >>>> Heiko Zuerker >>>> >>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>> <do...@ti...> wrote: >>>>> >>>>> Hope you had a good break Heiko! >>>>> >>>>> For DL, I haven't seen or heard of a patch, and >>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at >>>>> least in the meantime bash source has been better patched by those >>>>> good redhat people >>>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115 /... >>>>> >>>>> Dominic >>>>> >>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>> I just came back from vacation. I assume nobody worked on the patch yet? >>>>>> >>>>>> Heiko >>>>>> >>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>> >>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>> shock bug asap >>>>>>> (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>> Andrzej, Heiko, anyone? >>>>>>> >>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>> 1.6.5-2014-04-09, Linux 3.2.56) >>>>>>> >>>>>>> >>>>>>> ---------------------------------------------------------------- >>>>>>> -------------- >>>>>>> >>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS >>>>>>> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >>>>>>> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >>>>>>> EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140 >>>>>>> /ostg.clktrk >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> >>>>> ------------------------------------------------------------------ >>>>> ------------ Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/o >>>>> stg.clktrk _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> ------------------------------------------------------------------- >>>> ----------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >>>> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box >>>> PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? >>>> Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 >>>> with EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/os >>>> tg.clktrk _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >> >> --------------------------------------------------------------------- >> --------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >> EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg >> .clktrk _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > ---------------------------------------------------------------------- > -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog > Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI > DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download > White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with > EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. > clktrk _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker ---------------------------------------------------------------------------- -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Devil-linux-discuss mailing list Dev...@li... https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
|
From: Heiko Z. <he...@zu...> - 2014-10-02 20:43:47
|
The latest patch is in CVS now. I'm booting my firewall from a USB stick and have no issues with it. I think there's one piece that prevents us from unmounting the disk completely. If I remember correctly, it's part of the initrd script if you want to dig around. Heiko Quoting Dominic Raferd <do...@ti...>: >> It seems that they keep finding issues in bash right now, so we'll >> gotta keep an eye on that for a bit. > > You were not wrong! DL testing is still vulnerable to CVE-2014-7186 and > CVE-2014-7187 - tests at > http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) > patches for bash 4.2 to fix this are at > http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. > > Off topic sorry, but since we are looking to a new release of DL: > > 1. I have had a problem for the last year or two that I cannot get any > of my USB drives to boot DL, instead I have to boot via CD/DVD (which I > admit has some security advantages). I have assumed this is something to > do with my motherboard/BIOS settings (though I have tweaked these > without success), but I wondered if anyone else has had the same > difficulties? I have tried with both Syslinux and Grub boot loaders. > > 2. If I boot from CD/DVD the CD/DVD drive remains physically locked even > if I have chosen to load and run the system from RAM - i.e. the eject > button on the drive does not work. Is this by design? It certainly makes > upgrading more of a faff, because I can only change the disk after the > machine reboots, and then the machine usually has to be physically > rebooted again to get the new disk to boot. > > Dominic > > On 30/09/2014 19:35, Dominic Raferd wrote: >> Seems good. Many thanks. >> >> root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; >> echo vulnerable' bash -c "echo test" >> test >> root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo >> date"; cat /tmp/echo >> date >> cat: /tmp/echo: No such file or directory >> >> On 30/09/2014 16:14, Heiko Zuerker wrote: >>> The compile finished successfully last night and I'm uploading into >>> the testing folder right now. >>> It'll take a couple hours for it to complete. >>> >>> Please test and let me know if you confirm that the bug is resolved. >>> It seems that they keep finding issues in bash right now, so we'll >>> gotta keep an eye on that for a bit. >>> >>> Heiko >>> >>> Quoting Heiko Zuerker <he...@zu...>: >>> >>>> The latest patches are in CVS, we'll see how the compile tonight goes. >>>> >>>> Regards >>>> Heiko Zuerker >>>> >>>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd >>>>> <do...@ti...> wrote: >>>>> >>>>> Hope you had a good break Heiko! >>>>> >>>>> For DL, I haven't seen or heard of a patch, and >>>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least >>>>> in the meantime bash source has been better patched by those good redhat >>>>> people >>>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/... >>>>> >>>>> Dominic >>>>> >>>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>>> I just came back from vacation. I assume nobody worked on the patch yet? >>>>>> >>>>>> Heiko >>>>>> >>>>>> Quoting Dominic Raferd <do...@ti...>: >>>>>> >>>>>>> Would be grateful if someone could fix DL's bash for the shell >>>>>>> shock bug >>>>>>> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>>> Andrzej, Heiko, anyone? >>>>>>> >>>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux >>>>>>> 1.6.5-2014-04-09, >>>>>>> Linux 3.2.56) >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> >>>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >>>>>>> DSS Reports >>>>>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>>>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Devil-linux-discuss mailing list >>>>>>> Dev...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Slashdot TV. Videos for Nerds. Stuff that Matters. >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> Devil-linux-discuss mailing list >>>>> Dev...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>> ------------------------------------------------------------------------------ >>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >> >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
|
From: Dominic R. <do...@ti...> - 2014-10-02 05:35:07
|
> It seems that they keep finding issues in bash right now, so we'll > gotta keep an eye on that for a bit. You were not wrong! DL testing is still vulnerable to CVE-2014-7186 and CVE-2014-7187 - tests at http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29. (New) patches for bash 4.2 to fix this are at http://ftp.gnu.org/gnu/bash/bash-4.2-patches/. Off topic sorry, but since we are looking to a new release of DL: 1. I have had a problem for the last year or two that I cannot get any of my USB drives to boot DL, instead I have to boot via CD/DVD (which I admit has some security advantages). I have assumed this is something to do with my motherboard/BIOS settings (though I have tweaked these without success), but I wondered if anyone else has had the same difficulties? I have tried with both Syslinux and Grub boot loaders. 2. If I boot from CD/DVD the CD/DVD drive remains physically locked even if I have chosen to load and run the system from RAM - i.e. the eject button on the drive does not work. Is this by design? It certainly makes upgrading more of a faff, because I can only change the disk after the machine reboots, and then the machine usually has to be physically rebooted again to get the new disk to boot. Dominic On 30/09/2014 19:35, Dominic Raferd wrote: > Seems good. Many thanks. > > root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; > echo vulnerable' bash -c "echo test" > test > root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo > date"; cat /tmp/echo > date > cat: /tmp/echo: No such file or directory > > On 30/09/2014 16:14, Heiko Zuerker wrote: >> The compile finished successfully last night and I'm uploading into >> the testing folder right now. >> It'll take a couple hours for it to complete. >> >> Please test and let me know if you confirm that the bug is resolved. >> It seems that they keep finding issues in bash right now, so we'll >> gotta keep an eye on that for a bit. >> >> Heiko >> >> Quoting Heiko Zuerker <he...@zu...>: >> >>> The latest patches are in CVS, we'll see how the compile tonight goes. >>> >>> Regards >>> Heiko Zuerker >>> >>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd <do...@ti...> wrote: >>>> >>>> Hope you had a good break Heiko! >>>> >>>> For DL, I haven't seen or heard of a patch, and >>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least >>>> in the meantime bash source has been better patched by those good redhat >>>> people >>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/... >>>> >>>> Dominic >>>> >>>>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>>>> I just came back from vacation. I assume nobody worked on the patch yet? >>>>> >>>>> Heiko >>>>> >>>>> Quoting Dominic Raferd <do...@ti...>: >>>>> >>>>>> Would be grateful if someone could fix DL's bash for the shell shock bug >>>>>> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>>>> Andrzej, Heiko, anyone? >>>>>> >>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, >>>>>> Linux 3.2.56) >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>>>>> >>>>>> _______________________________________________ >>>>>> Devil-linux-discuss mailing list >>>>>> Dev...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>>>> >>>> ------------------------------------------------------------------------------ >>>> Slashdot TV. Videos for Nerds. Stuff that Matters. >>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> ------------------------------------------------------------------------------ >>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
|
From: Dominic R. <do...@ti...> - 2014-09-30 16:35:20
|
Seems good. Many thanks.
root@dl1:~ # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;};
echo vulnerable' bash -c "echo test"
test
root@dl1:~ # cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo
date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
On 30/09/2014 16:14, Heiko Zuerker wrote:
> The compile finished successfully last night and I'm uploading into
> the testing folder right now.
> It'll take a couple hours for it to complete.
>
> Please test and let me know if you confirm that the bug is resolved.
> It seems that they keep finding issues in bash right now, so we'll
> gotta keep an eye on that for a bit.
>
> Heiko
>
> Quoting Heiko Zuerker <he...@zu...>:
>
>> The latest patches are in CVS, we'll see how the compile tonight goes.
>>
>> Regards
>> Heiko Zuerker
>>
>>> On Sep 29, 2014, at 3:00 PM, Dominic Raferd <do...@ti...> wrote:
>>>
>>> Hope you had a good break Heiko!
>>>
>>> For DL, I haven't seen or heard of a patch, and
>>> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least
>>> in the meantime bash source has been better patched by those good redhat
>>> people
>>> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/...
>>>
>>> Dominic
>>>
>>>> On 29/09/2014 22:36, Heiko Zuerker wrote:
>>>> I just came back from vacation. I assume nobody worked on the patch yet?
>>>>
>>>> Heiko
>>>>
>>>> Quoting Dominic Raferd <do...@ti...>:
>>>>
>>>>> Would be grateful if someone could fix DL's bash for the shell shock bug
>>>>> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/).
>>>>> Andrzej, Heiko, anyone?
>>>>>
>>>>> Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09,
>>>>> Linux 3.2.56)
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>>
>>>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>>>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>>>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>>>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>>>>>
>>>>> _______________________________________________
>>>>> Devil-linux-discuss mailing list
>>>>> Dev...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss
>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Slashdot TV. Videos for Nerds. Stuff that Matters.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Devil-linux-discuss mailing list
>>> Dev...@li...
>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss
>> ------------------------------------------------------------------------------
>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Devil-linux-discuss mailing list
>> Dev...@li...
>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss
>
>
|
|
From: Heiko Z. <he...@zu...> - 2014-09-30 13:15:22
|
Quoting c p <the...@gm...>: > Hello, > > It has been almost one year since you published a release, don't you > think it is a good moment with this (very important) bug for the 1.6.5? > Agreed. I'm uploading into the testing folder right now. Once folks confirm that the release is good, then we can make it official. -- Regards Heiko Zuerker |
|
From: Heiko Z. <he...@zu...> - 2014-09-30 13:14:12
|
The compile finished successfully last night and I'm uploading into the testing folder right now. It'll take a couple hours for it to complete. Please test and let me know if you confirm that the bug is resolved. It seems that they keep finding issues in bash right now, so we'll gotta keep an eye on that for a bit. Heiko Quoting Heiko Zuerker <he...@zu...>: > The latest patches are in CVS, we'll see how the compile tonight goes. > > Regards > Heiko Zuerker > >> On Sep 29, 2014, at 3:00 PM, Dominic Raferd <do...@ti...> wrote: >> >> Hope you had a good break Heiko! >> >> For DL, I haven't seen or heard of a patch, and >> ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least >> in the meantime bash source has been better patched by those good redhat >> people >> http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/... >> >> Dominic >> >>> On 29/09/2014 22:36, Heiko Zuerker wrote: >>> I just came back from vacation. I assume nobody worked on the patch yet? >>> >>> Heiko >>> >>> Quoting Dominic Raferd <do...@ti...>: >>> >>>> Would be grateful if someone could fix DL's bash for the shell shock bug >>>> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>>> Andrzej, Heiko, anyone? >>>> >>>> Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, >>>> Linux 3.2.56) >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>>> >>>> _______________________________________________ >>>> Devil-linux-discuss mailing list >>>> Dev...@li... >>>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >>> >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Slashdot TV. Videos for Nerds. Stuff that Matters. >> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
|
From: c p <the...@gm...> - 2014-09-30 09:32:08
|
Hello, It has been almost one year since you published a release, don't you think it is a good moment with this (very important) bug for the 1.6.5? Thanks in advance. Regards. |
|
From: Heiko Z. <he...@zu...> - 2014-09-30 01:48:06
|
The latest patches are in CVS, we'll see how the compile tonight goes. Regards Heiko Zuerker > On Sep 29, 2014, at 3:00 PM, Dominic Raferd <do...@ti...> wrote: > > Hope you had a good break Heiko! > > For DL, I haven't seen or heard of a patch, and > ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least > in the meantime bash source has been better patched by those good redhat > people > http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/... > > Dominic > >> On 29/09/2014 22:36, Heiko Zuerker wrote: >> I just came back from vacation. I assume nobody worked on the patch yet? >> >> Heiko >> >> Quoting Dominic Raferd <do...@ti...>: >> >>> Would be grateful if someone could fix DL's bash for the shell shock bug >>> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >>> Andrzej, Heiko, anyone? >>> >>> Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, >>> Linux 3.2.56) >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >>> >>> _______________________________________________ >>> Devil-linux-discuss mailing list >>> Dev...@li... >>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> >> > > > ------------------------------------------------------------------------------ > Slashdot TV. Videos for Nerds. Stuff that Matters. > http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
|
From: Heiko Z. <he...@zu...> - 2014-09-29 20:03:10
|
I just came back from vacation. I assume nobody worked on the patch yet? Heiko Quoting Dominic Raferd <do...@ti...>: > Would be grateful if someone could fix DL's bash for the shell shock bug > asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). > Andrzej, Heiko, anyone? > > Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, > Linux 3.2.56) > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
|
From: Dominic R. <do...@ti...> - 2014-09-29 20:01:07
|
Hope you had a good break Heiko! For DL, I haven't seen or heard of a patch, and ftp://ftp.devil-linux.org/pub/devel/testing/ is now empty. But at least in the meantime bash source has been better patched by those good redhat people http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/... Dominic On 29/09/2014 22:36, Heiko Zuerker wrote: > I just came back from vacation. I assume nobody worked on the patch yet? > > Heiko > > Quoting Dominic Raferd <do...@ti...>: > >> Would be grateful if someone could fix DL's bash for the shell shock bug >> asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). >> Andrzej, Heiko, anyone? >> >> Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, >> Linux 3.2.56) >> >> >> ------------------------------------------------------------------------------ >> >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >> >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > |
|
From: Dominic R. <do...@ti...> - 2014-09-25 10:18:07
|
Would be grateful if someone could fix DL's bash for the shell shock bug asap (http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/). Andrzej, Heiko, anyone? Thanks, Dominic (currently using Andrzej's Devil-Linux 1.6.5-2014-04-09, Linux 3.2.56) |
|
From: Heiko Z. <he...@zu...> - 2014-07-27 19:50:08
|
Hi, I don't think this is the right mailing list to address this issue. You're asking about questions which relate to programming on a driver level. Heiko Quoting "Hernán M. GonzálezCalderón" <her...@gm...>: > Hello again, I have already written here because of the same subject 5 > months ago, my final year project > (http://thread.gmane.org/gmane.linux.drivers.ath5k.devel/5651). I come here > asking what would be the best way of understanding ath5k driver in order to > get an 802.11p implementation based on that driver. Nowadays I have managed > to get some of the basics about it thanks to your help and a huge amount of > "printks", but regarding to the implementation issue I couldn't achieve > anything. > > My ordered change-needs list is: > > - Change emiting band to 5.9GHz > - Change bandwith to 10MHz (1/2 802.11p) > - Set rest of parameters of 802.11p > - Implement protocol stack of 802.11p > > Maybe is a bit naive for a list, but so far I haven't acomplished even the > first item so I won't worry about the rest right now. > > I guess that there are two ways of doing it. First, add a new mode for P or, > Second, modify A mode to get an P implementation. > > I'm into the first posibility. Now I'm triying to modify little by little > the driver and related files in order to add a new mode beside 80211A, > 80211B, ... But after all this time and the changes made I coudn't even > change channel with "iw" to one of the P channels. I have added a new > ieee80211_band band for 5.9HGz bands (in cfg80211.h), I have added a new > ath5k_driver_mode PHY operation mode (in ath5k.h)... I know these changes > won't get the thing done by their own, since I just add new elements to > serverals enums, but I didn't expect them to "break" the driver. Jet, the > initilization is failing from the beginning and it can't register the card. > > My first thought is that adding new elements to those enums could alter the > offests and the access to that structures is not being done the proper way. > And this make me thinks, "Wouldn't be easier just modify what is already > done and trasnform A to P, instead of create a new op mode?". I guess it is, > so is there anyone here anyway that could anser me that? Or is there anyone > here who could give me some hints about it? Right now I would be happy just > being able to set the channel to one included in the 5,9GHz band by using > "iw" or "iwconfig". > > > > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck > Code Sight - the same software that powers the world's largest code > search on Ohloh, the Black Duck Open Hub! Try it now. > http://p.sf.net/sfu/bds > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- Regards Heiko Zuerker |
|
From: Hernán M. G. <her...@gm...> - 2014-07-27 17:10:12
|
Hello again, I have already written here because of the same subject 5 months ago, my final year project (http://thread.gmane.org/gmane.linux.drivers.ath5k.devel/5651). I come here asking what would be the best way of understanding ath5k driver in order to get an 802.11p implementation based on that driver. Nowadays I have managed to get some of the basics about it thanks to your help and a huge amount of "printks", but regarding to the implementation issue I couldn't achieve anything. My ordered change-needs list is: - Change emiting band to 5.9GHz - Change bandwith to 10MHz (1/2 802.11p) - Set rest of parameters of 802.11p - Implement protocol stack of 802.11p Maybe is a bit naive for a list, but so far I haven't acomplished even the first item so I won't worry about the rest right now. I guess that there are two ways of doing it. First, add a new mode for P or, Second, modify A mode to get an P implementation. I'm into the first posibility. Now I'm triying to modify little by little the driver and related files in order to add a new mode beside 80211A, 80211B, ... But after all this time and the changes made I coudn't even change channel with "iw" to one of the P channels. I have added a new ieee80211_band band for 5.9HGz bands (in cfg80211.h), I have added a new ath5k_driver_mode PHY operation mode (in ath5k.h)... I know these changes won't get the thing done by their own, since I just add new elements to serverals enums, but I didn't expect them to "break" the driver. Jet, the initilization is failing from the beginning and it can't register the card. My first thought is that adding new elements to those enums could alter the offests and the access to that structures is not being done the proper way. And this make me thinks, "Wouldn't be easier just modify what is already done and trasnform A to P, instead of create a new op mode?". I guess it is, so is there anyone here anyway that could anser me that? Or is there anyone here who could give me some hints about it? Right now I would be happy just being able to set the channel to one included in the 5,9GHz band by using "iw" or "iwconfig". |
|
From: Aknine F. <akn...@gm...> - 2014-05-09 17:44:23
|
Hi Heiko, First all, thank you for great work of Devil-Linux, It works very well on our compay as firewall for many years. (Start from DL 1.2 ) Last week I build my own custom DL 1.6.x from lfssystem64 and found some package issues as as described below:- [Package]: libpcap-1.0.0 [Issue]: does not install on final CD iso [Fix]: I just replace it with libpcap-1.1.1 from http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz then it appear in the final build CD iso. (It works, but I don't know why :-) ) libpcap-1.0.0 has a well known bug, it does not support peudo (any) interface , that is main reason I have to replace it. [Package]: Openvpn-2.3.2 [Issue]: 2.3.2 configure does not support --with-ifconfig-path=/sbin/ifconfig --with-iproute-path=/sbin/ip --with-route-path=/sbin/route [Fix]: it still work in the final build, But it is better to use environment variables as configure suggest IFCONFIG full path to ipconfig utility ROUTE full path to route utility IPROUTE full path to ip utility I update to openvpn-2.3.4 and patch with a obfuscated patch to allow vpn pass out of china. https://github.com/clayface/openvpn_xorpatch/blob/master/openvpn_xor.patch This obfuscated patch I tested it and it works fine on DL, just inform to somebody may interest to use it. [Package]: bandwidthd 2.0.1 ( form http://bandwidthd.sourceforge.net/) [Issue]: I failed on writing custom build script. so ...ha ha. [Fixed]: I manually "make" it on lffsystem64 environment. than copy binary file "bandwidthd" to cdtree/usr/sbin directory before use "make iso" command. (Wish you can add it to official package. I have wait it for many years) Custom build DL work very well now, thanks again. Regards Aknine |
50 messages has been excluded from this view by a project administrator.
