Update your Linux distro ASAP

Status
Not open for further replies.
Joined
May 31, 2006
Messages
4,073
Location
Windsor, Ontario, Canada
Very recently a vulnerability was discovered in bash, which is the command prompt shell you'd use whenever you use your terminal. Here is the info:

http://www.csoonline.com/article/2687265...-2014-6271.html

Thankfully, being open source, a patch has already been crafted and released for all major distros. My Ubuntu, Debian and Fedora systems were all updated last night and this morning with said patch. If you've been prompted in the last 24 hours for any software updates, I will bet that this issue has already been addressed for you; but for those of who who've set your update managers to bother you only every x days or weeks, you may want to run it manually now.

This is from Red Hat's site:

Quote:
To test if your version of Bash is vulnerable to this issue, run the following command:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks as follows:

vulnerable
this is a test

you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
 
Good grief! Not again! Yes, Mac OS X is affected also.

I just wonder when Apple may get around to coming out with the update so I can update my iMac.
 
Last edited:
Originally Posted By: L_Sludger
I read about Mac users being affected too?


Yup. All UNIX and UNIX-like systems. It remains unclear whether Apple has patched anything yet.
 
Originally Posted By: Mystic
Good grief! Not again! Yes, Mac OS X is affected also.

I just wonder when Apple may get around to coming out with the update so I can update my iMac.


This comes from a Mac news site:

Quote:
Yes you are technically vulnerable. But the reality is unless you allow SSH access from remote connections or a web server that runs server side scripting, you are not at risk. You are only truly vulnerable if someone you do not know can remotely access your machine & do so in a way where a Bash command can be executed.

So this issue is mainly of concern to system administrators on Mac OS X & Unix/Linux servers exposed to the world, not desktop users who do not enable SSH sharing.


I have SSH servers running on my system(s) as well as the dozen systems I administer for family, friends and neighbours; but if you don't I cannot see a threat, beyond the theoretical, for you.
 
Well, that is a relief. Thanks for that information. It took Apple months to correct for a software issue a while back. They updated the iOS operating system before they worried about Mac OS X. I would still like to see an update however.

Once again we realize that all of these operating systems are just human technology that can be compromised. There is no magic operating system. In the case of open source and Linux operating systems there are probably not enough programmers watching the store.

Maybe that will soon be true of Microsoft also. They have laid off or fired thousands at Microsoft. And they are closing the Secure Computing unit.
 
I had the vulnerability, but after the latest Ubuntu patches, it went away.

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
 
Originally Posted By: JerryBob
I had the vulnerability, but after the latest Ubuntu patches, it went away.


Yes - All of the major distros (which are usually either Red Hat or Debian based) got the patch out within a day, it seems. Apple? Not so much; but since this is going to be a problem only for servers for the most part, a MacOS user should probably carry on with his or her life feeling as safe as they did before this information came about.
 
Not just Linux. Oracle Solaris is vulnerable.

Saw this note:

Quote:
Oracle knows about CVE-2014-6271 and will issue a fix as soon as a complete and well-tested fix is available
 
https://access.redhat.com/articles/1200223

Quote:


Update: 2014-09-25 03:10 UTC

Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. See also Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) in Red Hat Enterprise Linux. Red Hat is working on patches in conjunction with the upstream developers as a critical priority.


Rushing to get something out and then fixing it incompletely.

Media doesn't help by posting stories and not following up.

This is why Oracle takes their time.
 
Last edited:
Originally Posted By: javacontour
Not just Linux. Oracle Solaris is vulnerable.


It seems like ALL *NIX, derivatives and *NIX work-a-likes with bash are/ were vulnerable.

I am certain Larry Ellison is screaming on the phone at someone right now to get a patch out for Solaris. :^)
 
I am not trying to argue with you but, quote: "This is why Oracle takes their time."

Are you also talking about how slow they are to update Java? Java is probably the biggest single security risk on the internet. They maybe take a little too much time in keeping Java updated, don't you think?
 
Which is interesting since there was a fix for OEL Bash. Just rolled it out on my virtual box instance.

It will be interesting to compare the fixes for OEL and Solaris
smile.gif


Originally Posted By: simple_gifts
https://access.redhat.com/articles/1200223

Quote:


Update: 2014-09-25 03:10 UTC

Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. See also Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) in Red Hat Enterprise Linux. Red Hat is working on patches in conjunction with the upstream developers as a critical priority.


Rushing to get something out and then fixing it incompletely.

Media doesn't help by posting stories and not following up.

This is why Oracle takes their time.
 
OEL is based on open source; most (if not all) maintainers of the code do not work for oracle. Oracle simply integrates code fixes that others have submitted and puts them in the update tree.

Solaris OTOH is maintained in house. Less people maintain it and integration testing is done with the 'recommended and security' patchsets. Consequently a higher level of confidence that the issue was addressed is gained and that the fix is compatible with other software components (probably not too difficult in this case)

WRT Java, yes, they are slow to release fixes. In fact it is quarterly as indicated in their Security Advisories. A few may realize that java powers many application servers, so fixes can't just be released 'willy nilly' if it creates stability issues for customers. A java patch is easy to remove from a PC, but it is not a small matter when an application server handling 5000 transactions/sec takes a dive. Extra attention must be given as to the ramifications of JRE changes.

As with MS, 'home users' are not their target audience.

A simple comparison between linux documentation (there is none other than the man pages) and solaris documentation indicates the approach to OS development. Linux blows like the wind version to version and solaris takes a measured, methodical approach to integrating new features.
 
Last edited:
I can remember years ago people were talking up Java and some know-it-alls even said that Java would replace Windows. Now it seems like a lot of people on the net are trying to get rid of Java as fast as they can.

I personally stopped using Java a long time ago. There is exactly one website I know of that I used to visit that still uses Java and I have not visited that website for a long time.

I can't speak for Apple but Java software was being updated so slowly Apple started to take care of that themselves. In fact, I think on the two most recent versions of Mac OS X Java will be removed in thirty days if the owner of the computer does not use Java. Correct me if I am wrong. It seems most website owners are trying to move beyond Java and the only software I am aware of that requires Java is the Adobe Creative Suite, I believe. I use Adobe products but not the Adobe Creative Suite so I am not sure about that.

Research by Microsoft shows that Java, Adobe Reader, and Adobe Flash are huge security issues if the software is not kept updated. In fact, not so long ago probably 70-90% of malware relied on these three but the bad guys are constantly changing their tactics.

I realize that updating Java on a server computer can be much more difficult than updating the software on a desktop home computer. But today I would not use Java under any circumstances, no matter what anybody said about how wonderful Java may or may not be.

And I am old enough to remember Java being used on many websites. Well, today, Java is disappearing at least on the overwhelming majority of websites that I visit.

I would say that is a very good thing.
 
Solaris 8-SPARC used /sbin/sh, a statically-linked Bourne-compatible shell for root and services. 9? I think it was still /sbin/sh. 10-SPARC? Pretty sure it was /bin/ksh. 11? Well, there really is no root anymore, that's a role, but it's using /usr/bin/bash, at least the x64 version is.

Then there's this from a (dated) FAQ:
From 2.3 onward (1994?)
all system rc scripts are executed under sh regardless of the root
shell (see /etc/rcS).

So really this seems much more a Linux vulnerability.
 
Only reason I brought up Java was because of the statement that Oracle takes its time on updates. And I asked if that was the reason why Java is updated so slowly.
 
Status
Not open for further replies.
Back
Top