Bash security update published by Redhat

accounts · 09-26-2014, 07:58 AM

Got that test from another website, but will presume your answer is the right one.

iseletsk · 09-26-2014, 07:42 AM

What exactly do you think it tests? You are basically running:

bash -c "echo vulnerable to CVE-2014-7169"

of course it will print out: vulnerable to CVE-2014-7169
No injection here, bash just executes "echo ...." command.

accounts · 09-26-2014, 05:33 AM

I have that version installed. Heres another test that should work on any nix version:

Code:

env var=(){(a)=> bash -c "echo vulnerable to CVE-2014-7169"; /bin/true

david · 09-26-2014, 05:28 AM

Seems to be the correct version though?

Red Hat Customer Portal - Access to 24x7 support and knowledge

https://rhn.redhat.com/errata/RHSA-2014-1306.html

accounts · 09-26-2014, 05:23 AM

For redhat based systems the test I mentioned above is here: https://access.redhat.com/articles/1200223

david · 09-26-2014, 05:15 AM

afaik it shouldnt print out those error messages kernow.

Check bottom https://access.redhat.com/articles/1212303 for the outputs when not affected.
Perhaps theres a difference of output from redhat and debian?

accounts · 09-26-2014, 05:06 AM

Until the fix comes, if you use mod_security add the rules posted here: https://access.redhat.com/articles/1212303

tommy · 09-26-2014, 04:18 AM

Update seem to be available now.

sqh · 09-26-2014, 02:10 AM

CloudLinux pushed out the first bash update, but now there is a second update available. My non-CloudLinux boxes got the update directly from the CentOS repo... just waiting for CloudLinux to catch up.

- Scott

tommy · 09-26-2014, 02:04 AM

Is the updated fix far away Igor?

rodrigomf · 09-25-2014, 03:27 AM

Yeah, figured it out, thank you very much!

david · 09-25-2014, 03:19 AM

bitlab:
try:

Code:

yum clean all

yum update bash

It also seems youre using yum priorities plugin. Perhaps youre holding bash back by having higher priority for some other repo?
Check priority in your /etc/yum.repos.d/ files and make sure cloudlinux.repo has the highest (lowest value) priority - that is: priority=1

david · 09-25-2014, 03:16 AM

Igor, will you guys be waiting for upstream for the next patch or will you guys patch it yourselves?

1141597 – (CVE-2014-6271) CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands

https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23

cve-details

https://access.redhat.com/security/cve/CVE-2014-7169

Might not be as bad as I thought, so perhaps its worth waiting for upstream patch.

oss-security - Re: CVE-2014-6271: remote code execution through bash

http://www.openwall.com/lists/oss-security/2014/09/24/40

rodrigomf · 09-25-2014, 03:08 AM

Hi there:

I just did exactly that but got this:

yum update bash
Loaded plugins: priorities, protectbase, rhnplugin, security
27 packages excluded due to repository priority protections
0 packages excluded due to repository protections
Setting up Update Process
No Packages marked for Update

Any clues?

clm · 09-25-2014, 02:48 AM

Thanks !

Is there a risk running ldconfig instead of rebooting ?

Bash security update published by Redhat

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment: