Shellshock vulnerability (Solved)

Are we worrying about this?

Just my luck. I switch to Linux and a non-Windows vulnerability pops up! I may just have jinxed Linux.

Which distro/version ?

If Peppermint 1, 3, 5 / Mint 9, 13, 17 / Ubuntu 10.04, 12.04, 14.04

a patched bash update has already been released, so just run the software updater to make sure you’re up to date.

[EDIT]

Vulnerabilities pop up all the time, and are dealt with just as quickly … way faster than in Windows, because of the open source nature most vulnerabilities are found and fixed before they are actually exploited, and fixes are released MUCH faster because everyone can study the code.

The only real difference is lately the press have taken to sensationalising them … which is their job I suppose.

BTW, see here:
http://linuxforums.org.uk/index.php?topic=12108.0
:wink:

Ubuntu 14.04.

I’ve run the updater. Fingers crossed.

By all accounts though, this vulnerability has been around for years…

It may well have been … and there’ll no doubt be others in the gazillions of lines of code … but a vulnerability is only a problem if/when an exploit comes to light.

Doesn’t change the fact that Linux is about as secure as it’s possible to get … and the nature of open source generally allows for faster discovery and resolution.

In this case, as with all the other recent “big news” vulnerabilities, nothing will have become of it … did Heartbleed bring the world to an end, or was it dealt with without crippling the whole web infrastructure as the news sites tried to convince everyone ?

The simple unchanged truth is - in the roughly 5 years I’ve used it I’ve NEVER had an issue with Linux security, and that’s without a firewall or AV (including on a webserver) and in spite of the press sensationalist scare stories … Linux works, full stop … even with uncrossed fingers :wink:

Shellshock, I moon in your face :stuck_out_tongue:

Well put. I’m just glad I’m not shellshock (moon/face etc).

Mind you, I would dispute that ‘a vulnerability is only a problem if/when an exploit comes to light’.

It’s a problem when someone quietly discovers and exploits it.

Once it comes to light it gets fixed, but that may be too late. Anything can be cracked. We shouldn’t be complacent.

I guess you’re disconnecting from the internet now then :stuck_out_tongue:

Ok, I’m thinking the press are making a little more of this than is relevant to the ‘average’ user …

Issues;

  1. if you are calling BASH from a webserver (CGI scripts etc) [who does this !!]
  2. Restricted ssh may allow unrestricted ssh [if you open port 22 to the Internet … well … !!]
  3. Connecting to a malicious DHCP server … Mmm … I guess if you visit hi-tech coffee shops … (!)
  4. CUPS … ditto … if you visit high tech coffee shops and try to connect to their printers … (!)

Yes it’s definitely worth upgrading Bash, but it’s really not worth a heart-attack …

I’d imagine the highlighted one is the biggest risk to the public, although the SSH is a big one for web companies (and in turn, their customers). That said, I doubt Starbucks etc use DHCP servers for that - I expect they just use their router’s DHCP function for the public WiFi.

How many Starbucks customers check they’re actually getting their IP from the coffeeshops own DHCP server rather than a malicious “man in the middle” DHCP server.

I think the point was … connecting to unknown networks is an inherently risky thing to do anyway.

as for ssh and “web companies” … that’s the web companies or VPS admins problem (the VPS admin really shouldn’t be presenting ssh to the internet unless through a certificate authenticated VPN tunnel anyway) … not a desktop linux “user” problem.

So from a desktop linux “user” perspective … this bug has made coffeeshop/unknown networks risky … well duh!!!

Quote:I think the point was … connecting to unknown networks is an inherently risky thing to do anyway.

Wi-Fi is freely available from many sources now,pubs buses ect.

Should we stop using them…?.

Jocklad ::slight_smile:

You don’t have to stop using them, just assume that everything that is transmitted via it, is broadcast to everyone else

That’s up to you … even with this bug fixed, you’re still susceptible to packet interception.

As I said, unknown wireless (and indeed known wireless) networks were ALWAYS a risk to begin with.

I’ve just received a second security update to bash … haven’t checked the changelog yet, but hopefully this puts this bug to bed.

[EDIT]

Changelog

bash (4.3-7ubuntu1.3) trusty-security; urgency=medium

  • Updated debian/patches/CVE-2014-7169.diff to also patch y.tab.c in
    case it doesn’t get regenerated when built (LP: #1374207)
    – Marc Deslauriers [email protected] Thu, 25 Sep 2014 21:20:03 -0400

CVE-2014-6271

fix released,

CVE-2014-7169

fix released.

Guess we’ll have to wait and see if anyone finds this one “incomplete” :slight_smile:

Not just yet.

Reassured by the comments here, and I almost never connect via an unknown network anyway and even then, only on an iPod (and the hacker who would steal my music probably doesn’t exist!

At home it’s ethernet, Linux and/or VMs, and my private data is encrypted and backed up (twice).

Paranoid? Me?

Yet another bash update today for Peppermint 5 / Ubuntu 14.04 / Mint 17 / any other 14.04 based distro

dpkg -s bash | grep -i version

should now report
4.3-7ubuntu1.4
anything less … run a manual update:

sudo apt-get update && sudo apt-get dist-upgrade

Done and thanks :smiley:

Keith

Also done.

Sorry it took a while for me to mark it solved - bit frantic this end!

Thanks Mark

You’re most welcome :slight_smile: