Author Topic: "Bash" bug?  (Read 5659 times)

0 Members and 1 Guest are viewing this topic.

Offline cicero

  • Full Member
  • ***
  • Posts: 169
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
"Bash" bug?
« on: September 25, 2014, 09:46:56 am »
Anyone know anything about this apparent bug and if Peppermint 5 is vulnerable?

Means nothing to me but it seems to be being widely reported today.

Offline chemicalfan

  • Hero Member
  • *****
  • Posts: 1166
  • Karma: 36
  • Gender: Male
  • I've been here a little while!
    • View Profile
    • Awards
Re: "Bash" bug?
« Reply #1 on: September 25, 2014, 09:58:23 am »
Link?

Edit: There was a patch for bash yesterday, according to Ubuntu's changelog it was to fix CVE-2014-6271, but whether this is the same as reported, I don't know at the moment (probably is though)

Edit 2: RedHat don't seem to think it's fixed yet..... https://access.redhat.com/security/cve/CVE-2014-7169
« Last Edit: September 25, 2014, 10:09:01 am by chemicalfan »

Offline Mark Greaves (PCNetSpec)

  • Hero Member
  • *****
  • Posts: 18277
  • Karma: 479
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • Awards
Re: "Bash" bug?
« Reply #2 on: September 25, 2014, 10:35:38 am »
If Peppermint 5 is up-to-date, the patched version of bash should already be present.

If you want to check:
Code: [Select]
dpkg -s bash | grep Version
should return
Code: [Select]
Version: 4.3-7ubuntu1.1
or later .. if it does you're OK, if it doesn't run:-

menu > System Tools > Software Updater

then check the version again.



Source:
(Ubuntu Security Notice USN-2362-1 for CVE-2014-6271 bash vulnerability)
http://www.ubuntu.com/usn/usn-2362-1/

--
« Last Edit: September 25, 2014, 11:16:40 am by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'
logging in as 'insane' is the only safe option.
pcnetspec.co.uk

Offline chemicalfan

  • Hero Member
  • *****
  • Posts: 1166
  • Karma: 36
  • Gender: Male
  • I've been here a little while!
    • View Profile
    • Awards
Re: "Bash" bug?
« Reply #3 on: September 25, 2014, 11:43:10 am »
But I'm assuming that the patch Ubuntu issued hasn't fixed it (otherwise surely RedHat would have nicked it, under the GPL?).
So, I'm expecting another patch to be issued in the next day or two.

In fairness, I can't see how it could be remotely exploited unless you've already got/accepting remote connections (i.e. a website). Even then, if your website cleans the incoming data, again it shouldn't be a problem (unless I've mis-understood it, probably have)

Offline Mark Greaves (PCNetSpec)

  • Hero Member
  • *****
  • Posts: 18277
  • Karma: 479
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • Awards
Re: "Bash" bug?
« Reply #4 on: September 25, 2014, 03:30:06 pm »
You're right .. the incomplete fix has been reassigned CVE-2014-7169 .. so I'd expect another update fairly soon.

And I'd agree, home users have little to worry about anyway.
WARNING: You are logged into reality as 'root'
logging in as 'insane' is the only safe option.
pcnetspec.co.uk

Offline chemicalfan

  • Hero Member
  • *****
  • Posts: 1166
  • Karma: 36
  • Gender: Male
  • I've been here a little while!
    • View Profile
    • Awards
Re: "Bash" bug?
« Reply #5 on: September 25, 2014, 04:01:02 pm »
so I'd expect another update fairly soon.

Just thought I'd take the opportunity to point out the awesomeness of open source software here vs closed source (i.e. Windows) :D

Offline cicero

  • Full Member
  • ***
  • Posts: 169
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: "Bash" bug?
« Reply #6 on: September 25, 2014, 06:05:25 pm »
If Peppermint 5 is up-to-date, the patched version of bash should already be present.

If you want to check:
Code: [Select]
dpkg -s bash | grep Version
should return
Code: [Select]
Version: 4.3-7ubuntu1.1
or later .. if it does you're OK, if it doesn't run:-

menu > System Tools > Software Updater



Source:
(Ubuntu Security Notice USN-2362-1 for CVE-2014-6271 bash vulnerability)
http://www.ubuntu.com/usn/usn-2362-1/

--


Thanks, Mark

Have done as you suggested and it returned the text you mentioned.

Can i ask if this is the same for Mint 17 as my friend uses it?

Thanks.

Offline Mark Greaves (PCNetSpec)

  • Hero Member
  • *****
  • Posts: 18277
  • Karma: 479
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • Awards
Re: "Bash" bug?
« Reply #7 on: September 25, 2014, 06:25:41 pm »
Yeah, should be the same for Mint 17 :)
(or any other Ubuntu 14.04 based distro for that matter)

--
« Last Edit: September 25, 2014, 06:27:40 pm by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'
logging in as 'insane' is the only safe option.
pcnetspec.co.uk

Offline cicero

  • Full Member
  • ***
  • Posts: 169
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: "Bash" bug?
« Reply #8 on: September 25, 2014, 07:33:39 pm »
Yeah, should be the same for Mint 17 :)
(or any other Ubuntu 14.04 based distro for that matter)

--

Thanks very much, I'll let her know tomorrow.

Regards,

Doug

Offline Mark Greaves (PCNetSpec)

  • Hero Member
  • *****
  • Posts: 18277
  • Karma: 479
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • Awards
Re: "Bash" bug?
« Reply #9 on: September 26, 2014, 02:52:35 pm »
I've just received a second security update to bash .. haven't checked the changelog yet, but hopefully this puts this bug to bed.

[EDIT]

Quote
Changelog

bash (4.3-7ubuntu1.3) trusty-security; urgency=medium

  * Updated debian/patches/CVE-2014-7169.diff to also patch y.tab.c in
    case it doesn't get regenerated when built (LP: #1374207)
 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>   Thu, 25 Sep 2014 21:20:03 -0400

Guess we'll have to wait and see if anyone finds this one "incomplete" :)
« Last Edit: September 26, 2014, 03:05:30 pm by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'
logging in as 'insane' is the only safe option.
pcnetspec.co.uk

 


SimplePortal 2.3.3 © 2008-2010, SimplePortal