Bash security update published by Redhat

accounts replied

09-26-2014, 07:58 AM
Got that test from another website, but will presume your answer is the right one.
Leave a comment:
iseletsk replied

09-26-2014, 07:42 AM
What exactly do you think it tests? You are basically running:

bash -c "echo vulnerable to CVE-2014-7169"

of course it will print out: vulnerable to CVE-2014-7169
No injection here, bash just executes "echo ...." command.
Leave a comment:
accounts replied

09-26-2014, 05:33 AM
I have that version installed. Heres another test that should work on any nix version:

Code:

env var=(){(a)=> bash -c "echo vulnerable to CVE-2014-7169"; /bin/true
Leave a comment:
david replied

09-26-2014, 05:28 AM
Seems to be the correct version though?

Red Hat Customer Portal - Access to 24x7 support and knowledge

https://rhn.redhat.com/errata/RHSA-2014-1306.html
Leave a comment:
accounts replied

09-26-2014, 05:23 AM
For redhat based systems the test I mentioned above is here: https://access.redhat.com/articles/1200223
Leave a comment:
david replied

09-26-2014, 05:15 AM
afaik it shouldnt print out those error messages kernow.

Check bottom https://access.redhat.com/articles/1212303 for the outputs when not affected.
Perhaps theres a difference of output from redhat and debian?
Leave a comment:
accounts replied

09-26-2014, 05:06 AM
Until the fix comes, if you use mod_security add the rules posted here: https://access.redhat.com/articles/1212303
Leave a comment:
tommy replied

09-26-2014, 04:18 AM
Update seem to be available now.
Leave a comment:
sqh replied

09-26-2014, 02:10 AM
CloudLinux pushed out the first bash update, but now there is a second update available. My non-CloudLinux boxes got the update directly from the CentOS repo... just waiting for CloudLinux to catch up.

- Scott
Leave a comment:
tommy replied

09-26-2014, 02:04 AM
Is the updated fix far away Igor?
Leave a comment:
rodrigomf replied

09-25-2014, 03:27 AM
Yeah, figured it out, thank you very much!
Leave a comment:
david replied

09-25-2014, 03:19 AM
bitlab:
try:

Code:

yum clean all yum update bash

It also seems youre using yum priorities plugin. Perhaps youre holding bash back by having higher priority for some other repo?
Check priority in your /etc/yum.repos.d/ files and make sure cloudlinux.repo has the highest (lowest value) priority - that is: priority=1
Leave a comment:
david replied

09-25-2014, 03:16 AM
Igor, will you guys be waiting for upstream for the next patch or will you guys patch it yourselves?

1141597 – (CVE-2014-6271) CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands

https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23

cve-details

https://access.redhat.com/security/cve/CVE-2014-7169

Might not be as bad as I thought, so perhaps its worth waiting for upstream patch.

oss-security - Re: CVE-2014-6271: remote code execution through bash

http://www.openwall.com/lists/oss-security/2014/09/24/40
Leave a comment:
rodrigomf replied

09-25-2014, 03:08 AM
Hi there:

I just did exactly that but got this:

yum update bash
Loaded plugins: priorities, protectbase, rhnplugin, security
27 packages excluded due to repository priority protections
0 packages excluded due to repository protections
Setting up Update Process
No Packages marked for Update

Any clues?
Leave a comment:
clm replied

09-25-2014, 02:48 AM
Thanks !

Is there a risk running ldconfig instead of rebooting ?
Leave a comment:

Announcement

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment: