[olug] Bash Bug Info

Dan Linder dan at linder.org
Wed Oct 1 20:23:33 CDT 2014


Yup, I ran the tests and these two systems fail the initial test that went
out last week.

I'll probably go the .tgz route and recompile it to have on hand if the
other avenues don't pan out.

Thanks!
Dan

On Wed, Oct 1, 2014 at 8:32 PM, unfy <olug at unfy.org> wrote:

> What version of bash ?
>
> If it's old, and by old I mean ancient ... does it even have the bug in
> question ?
>
> If you can throw a newer version of bash, it'd be just grabbing bash 4.3
> tgz, and then all of the patches... applying them all and compiling it all.
>
> Otherwise... things get complicated.
>
> -Will
>
>
>
>
> On 10/1/2014 7:29 PM, Dan Linder wrote:
>
>> Anyone know where I can get bash for an ancient RedHat 3 and RedHat 4
>> system?  (No, I can't upgrade them...)
>>
>> Dan
>>
>> On Tue, Sep 30, 2014 at 6:53 PM, Chad Homan <choman at gmail.com> wrote:
>>
>>  Yeah, the sixth one got added shortly after I sent the email
>>>
>>> HA, we should start a pool on how many CVEs by the end of the month.
>>>
>>> Together We Win!   Looking for cloud storage, try copy.com (20g free
>>> <https://copy.com?r=6BuEoY>)
>>> --
>>> Chad - Mynt / Core Promoter
>>> Do You Know Your Life Score? <http://choman.mymonavie.com>
>>> Creating A More Meaningful Life
>>>
>>> Some people, when confronted with a problem, think "I know, I'll use
>>> Windows."
>>> Now they have two problems.
>>>
>>> Some people claim if you play a Windows Install Disc backwards you'll
>>> hear
>>> satanic Messages.
>>> That's nothing, if you play it forward it installs Windows
>>>
>>> On Tue, Sep 30, 2014 at 2:21 PM, Jon Larsen <jon at jonlarsen.us> wrote:
>>>
>>>  I've been keeping an eye on the patches folder in the original source
>>>> folder.
>>>> ftp://ftp.gnu.org/gnu/bash/
>>>>
>>>> look under the 'bash-x.x-patches' folder for your given version of bash
>>>>
>>> for
>>>
>>>> the patch code.
>>>>
>>>>
>>>> I wish the patch contained the relevant CVE info.  But, you can match
>>>> the
>>>> 'bug reported by' at the top to entries in the ISC presentation -
>>>> https://isc.sans.edu/presentations/ShellShockV2.pdf
>>>>
>>>> On Tue, Sep 30, 2014 at 1:34 PM, Jason Troy <jason.troy at gmail.com>
>>>>
>>> wrote:
>>>
>>>> 6CVEs But who's counting ... the latest one is undergoing
>>>>> analysis/confirmation that the originally patched systems are still
>>>>> affected:
>>>>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278
>>>>>
>>>>>
>>>>> -- JT
>>>>>
>>>>> On Tue, Sep 30, 2014 at 12:51 PM, Chad Homan <choman at gmail.com> wrote:
>>>>>
>>>>>  Sorry if I'm duplicating info here.  I have not been following the
>>>>>>
>>>>> thread
>>>>
>>>>> very well.
>>>>>>
>>>>>> But for those interested, here is a web site tracking the
>>>>>>
>>>>> shellshocker
>>>
>>>> bug
>>>>>
>>>>>> and
>>>>>> it's derivatives: https://shellshocker.net/
>>>>>>
>>>>>> Currently it is referencing all 5 CVEs (YES 5) and also covers the
>>>>>>
>>>>> tests
>>>>
>>>>> one needs
>>>>>> to do to verify the fixes.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Together We Win!   Looking for cloud storage, try copy.com (20g free
>>>>>> <https://copy.com?r=6BuEoY>)
>>>>>> --
>>>>>> Chad - Mynt / Core Promoter
>>>>>> Do You Know Your Life Score? <http://choman.mymonavie.com>
>>>>>> Creating A More Meaningful Life
>>>>>>
>>>>>> Some people, when confronted with a problem, think "I know, I'll use
>>>>>> Windows."
>>>>>> Now they have two problems.
>>>>>>
>>>>>> Some people claim if you play a Windows Install Disc backwards you'll
>>>>>>
>>>>> hear
>>>>>
>>>>>> satanic Messages.
>>>>>> That's nothing, if you play it forward it installs Windows
>>>>>>
>>>>>> On Fri, Sep 26, 2014 at 10:10 PM, unfy <olug at unfy.org> wrote:
>>>>>>
>>>>>>  On 9/26/2014 8:47 PM, Rob Townley wrote:
>>>>>>>
>>>>>>>  Wondering if it might be helpful to pull the source for the
>>>>>>>>
>>>>>>> package
>>>
>>>> -
>>>>
>>>>> SRPM
>>>>>>
>>>>>>> and whatever DEB calls it  - and see what they do to patch and
>>>>>>>>
>>>>>>> configure
>>>>>
>>>>>> it. Would not be surprised if there is a metric boatload of
>>>>>>>>
>>>>>>> options
>>>
>>>> for
>>>>>
>>>>>> bash compilation and configuration afterwards.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>  I managed to find the configure options somewhere.  Yes it was 2
>>>>>>>
>>>>>> or 3
>>>
>>>> lines at 1650 resolution heh :D.  Were all of those options
>>>>>>>
>>>>>> necessary ?
>>>>
>>>>> No,
>>>>>>
>>>>>>> but when you're being exacting for a distro setup, it makes sense.
>>>>>>>
>>>>>>> No, I didn't save those options somewhere.  I don't think.  Back
>>>>>>>
>>>>>> pain
>>>
>>>> has
>>>>>
>>>>>> me not thinking clearly lately.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OLUG mailing list
>>>>>>> OLUG at olug.org
>>>>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>>>>
>>>>>>>  _______________________________________________
>>>>>> OLUG mailing list
>>>>>> OLUG at olug.org
>>>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>>>
>>>>>>  _______________________________________________
>>>>> OLUG mailing list
>>>>> OLUG at olug.org
>>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>>
>>>>>  _______________________________________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>
>>>>  _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/mailman/listinfo/olug
>>>
>>>
>>
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



-- 
***************** ************* *********** ******* ***** *** **
"Quis custodiet ipsos custodes?"
    (Who can watch the watchmen?)
    -- from the Satires of Juvenal
"I do not fear computers, I fear the lack of them."
    -- Isaac Asimov (Author)
** *** ***** ******* *********** ************* *****************


More information about the OLUG mailing list