[CVE-2014-6271] Update the Bash package ASAP

pvsage · 2014-09-27 06:19:10

#!_828 wrote:

My favorite was in the beginning, "Another computer bug out there that could eat your software, the new bug is called 'Brash' [sic], it's called the 'Bash-bug,' the bug known as 'Bash'. Also at 00:24, "It is called the 'Bash-bug' and it lets someone hack every device in your house . . ."

OK, I'm calling Poe's Law on this one. Next they'll claim it can cause your toaster to explode and give your daughter herpes.

mariannemarlow · 2014-09-27 09:49:37

Can I be a total dunce and ask what I need to do to update bash?

I got the

vulnerable
this is a test

Forthy · 2014-09-27 10:15:28

Sudo apt-get update & & Sudo apt-get upgrade

pvsage · 2014-09-27 10:19:06

@mariannemarlow: Not a total dunce, and by the way, it's always nice to hear from our Budgie Queen. 8o

If you have a relatively normal /etc/apt/sources.list for CrunchBang Waldorf (nothing beyond Waldorf, Wheezy, Wheezy security updates, and Wheezy backports), `sudo apt-get update && sudo apt-get upgrade` should handle it.

EDIT: ninja'd.

Last edited by pvsage (2014-09-27 10:20:36)

mariannemarlow · 2014-09-27 10:21:11

Forthy wrote:

Sudo apt-get update & & Sudo apt-get upgrade

Thank you

I do update once a week but will now upgrade..

p.s. what is the difference between dist-upgrade and upgrade?

pvsage · 2014-09-27 10:26:42

"update" just verifies your local APT database against the one in the repo; it doesn't make any changes to installed packages.
"upgrade" upgrades what packages it can without removing or obsolescing any other packages. This sometimes results in packages being "held back" because of conflicts.
"dist-upgrade" upgrades packages and can remove packages that will cause conflicts with newer versions.

mariannemarlow · 2014-09-27 10:28:16

pvsage wrote:

@mariannemarlow: Not a total dunce, and by the way, it's always nice to hear from our Budgie Queen. 8o
If you have a relatively normal /etc/apt/sources.list for CrunchBang Waldorf (nothing beyond Waldorf, Wheezy, Wheezy security updates, and Wheezy backports), `sudo apt-get update && sudo apt-get upgrade` should handle it.
EDIT: ninja'd.

@pvsage: Thank you.

My sources list is pretty basic yes.

It's the thought that counts, thanks for replying!

mariannemarlow · 2014-09-27 10:29:21

pvsage wrote:

"update" just verifies your local APT database against the one in the repo; it doesn't make any changes to installed packages.
"upgrade" upgrades what packages it can without removing or obsolescing any other packages. This sometimes results in packages being "held back" because of conflicts.
"dist-upgrade" upgrades packages and can remove packages that will cause conflicts with newer versions.

@pvsage: Thanks for the explanation

pvsage · 2014-09-27 10:33:29

^ Just call me King of the Elevator Pitch. Wait till you hear my explanation of the Theory of Narrative Causality.

This just happened because, if it hadn't happened, there wouldn't be much of a story.

Head_on_a_Stick · 2014-09-27 11:03:37

From my Debian Sid:

empty@Debian:~$ cd /tmp && rm -f /tmp/echo && env 'x=() { :;}; echo vulnerable' 'f=() { (a)=>\' bash -c 'echo echo vulnerable'; cat echo
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash: f: line 1: syntax error near unexpected token `='
bash: f: line 1: `'
bash: error importing function definition for `f'
vulnerable
empty@Debian:/tmp$ echo vulnerable

Updating the system now, I may be some time...

The following packages will be upgraded:
  anacron *bash* clearlooks-phenix-theme devscripts dmsetup gir1.2-atk-1.0 grub-common 
  grub-efi grub-efi-amd64 grub-efi-amd64-bin grub2-common gzip kmod libatk1.0-0 
  libatk1.0-data libdevmapper-event1.02.1 libdevmapper1.02.1 libjack-jackd2-0 
  libjpeg-progs libkmod2 libksba8 libllvm3.4 liblvm2app2.2 module-init-tools 
  task-english task-laptop tasksel tasksel-data

Last edited by Head_on_a_Stick (2014-09-27 11:05:59)

twoion · 2014-09-27 11:38:54

^ Try harder ^^

965 upgraded, 60 newly installed, 21 to remove and 14 not upgraded.

Head_on_a_Stick · 2014-09-27 11:42:10

965?!
Well done sir!

Sector11 · 2014-09-27 12:15:58

@ twoion

↑965 +60 -21 and ~14 <--- is that a fresh install?

twoion · 2014-09-27 12:24:45

Na, just the regular Unstable pile over one month. I know that there are too many -dev packages and libraries I haven't needed in years, but I am too lazy to clean up

The install itself is now about 2.5 years old.

Head_on_a_Stick · 2014-09-27 12:31:10

twoion wrote:

Na, just the regular Unstable pile over one month.

How can you do that?
Thanks to Arch, I now have upgrade OCD -- at least twice a day for me...
]:D

Head_on_a_Stick · 2014-09-27 12:36:36

Debian Sid is now fixed (for the 4 exploits listed so far):

empty@Debian ~ % cd /tmp && rm -f /tmp/echo && env 'x=() { :;}; echo vulnerable' 'f=() { (
a)=>\' bash -c 'echo echo vulnerable'; cat echo
echo vulnerable
cat: echo: No such file or directory

Job's a good 'un

Last edited by Head_on_a_Stick (2014-09-27 12:37:07)

Sector11 · 2014-09-27 12:52:39

Head_on_a_Stick wrote:

twoion wrote:
Na, just the regular Unstable pile over one month.
How can you do that?
Thanks to Arch, I now have upgrade OCD -- at least twice a day for me...
]:D

I hear you. When I ran SID I did update/dist-upgrade at least once a day.

twoion · 2014-09-27 13:11:19

Sector11 wrote:

Head_on_a_Stick wrote:
twoion wrote:
Na, just the regular Unstable pile over one month.
How can you do that?
Thanks to Arch, I now have upgrade OCD -- at least twice a day for me...
]:D
I hear you. When I ran SID I did update/dist-upgrade at least once a day.

I fared quite well. When something broke, I rarely couldn't fix it. Albeit it truly is exciting:

0) $ apt-get dist-upgrade -d && check if there's actually a clean upgrade path open
a) prepare hot beverage and pen+paper in case everything is going wrong
b) backup all the things
c) switch to tty, login as root (sweaty hands at this point)
d) start a tmux session (for scrollback!)
d) stop X
e) stop/kill all services
f) # apt-get dist-upgrade
e) apt-listbugs says danger? -> work out a away around deadly bugs. Or stop.
f) 20 minutes pure action
g) enter reboot command, cross fingers

Sector11 · 2014-09-27 13:20:40

twoion wrote:

I fared quite well. When something broke, I rarely couldn't fix it. Albeit it truly is exciting:

AAAA HA! So that's where I went wrong ... I got "cross fingers" stuck someplace between "prepare hot beverage" and "switch to tty". No wonder some of those commands looked like a cat on catnip was doing the typing.

photonucleon · 2014-09-27 14:47:34

This post from the #! forums en France is quite cool

Head_on_a_Stick · 2014-09-30 20:59:47

Just when you thought it was safe to go back to the shell:
http://web.nvd.nist.gov/view/vuln/detai … -2014-6278
Not again!

#!_828 · 2014-09-30 21:14:41

^Awwww, s**t But hey, maybe as the #! Cat, a little degaussing will help you out

CSCoder4ever · 2014-09-30 21:21:56

Time to switch to the BSD's? O:)

#!_828 · 2014-09-30 21:26:58

^ Maybe try degaussing your mechanical keyboards, too

Last edited by #!_828 (2014-09-30 21:27:10)

Head_on_a_Stick · 2014-09-30 21:29:15

#!_828 wrote:

^Awwww, s**t But hey, maybe as the #! Cat, a little degaussing will help you out

Great link thank you!

How to degauss a cat wrote:

First: Take the cat outside and coil a lightweight copper or aluminum wire loosely around it, beginning at whichever end the cat prefers, or allows.

My cat neither allowed nor preferred either end...

CrunchBang Linux

SEARCH

#26 2014-09-27 06:19:10

Re: [CVE-2014-6271] Update the Bash package ASAP

#27 2014-09-27 09:49:37

Re: [CVE-2014-6271] Update the Bash package ASAP

#28 2014-09-27 10:15:28

Re: [CVE-2014-6271] Update the Bash package ASAP

#29 2014-09-27 10:19:06

Re: [CVE-2014-6271] Update the Bash package ASAP

#30 2014-09-27 10:21:11

Re: [CVE-2014-6271] Update the Bash package ASAP

#31 2014-09-27 10:26:42

Re: [CVE-2014-6271] Update the Bash package ASAP

#32 2014-09-27 10:28:16

Re: [CVE-2014-6271] Update the Bash package ASAP

#33 2014-09-27 10:29:21

Re: [CVE-2014-6271] Update the Bash package ASAP

#34 2014-09-27 10:33:29

Re: [CVE-2014-6271] Update the Bash package ASAP

#35 2014-09-27 11:03:37

Re: [CVE-2014-6271] Update the Bash package ASAP

#36 2014-09-27 11:38:54

Re: [CVE-2014-6271] Update the Bash package ASAP

#37 2014-09-27 11:42:10

Re: [CVE-2014-6271] Update the Bash package ASAP

#38 2014-09-27 12:15:58

Re: [CVE-2014-6271] Update the Bash package ASAP

#39 2014-09-27 12:24:45

Re: [CVE-2014-6271] Update the Bash package ASAP

#40 2014-09-27 12:31:10

Re: [CVE-2014-6271] Update the Bash package ASAP

#41 2014-09-27 12:36:36

Re: [CVE-2014-6271] Update the Bash package ASAP

#42 2014-09-27 12:52:39

Re: [CVE-2014-6271] Update the Bash package ASAP

#43 2014-09-27 13:11:19

Re: [CVE-2014-6271] Update the Bash package ASAP

#44 2014-09-27 13:20:40

Re: [CVE-2014-6271] Update the Bash package ASAP

#45 2014-09-27 14:47:34

Re: [CVE-2014-6271] Update the Bash package ASAP

#46 2014-09-30 20:59:47

Re: [CVE-2014-6271] Update the Bash package ASAP

#47 2014-09-30 21:14:41

Re: [CVE-2014-6271] Update the Bash package ASAP

#48 2014-09-30 21:21:56

Re: [CVE-2014-6271] Update the Bash package ASAP

#49 2014-09-30 21:26:58

Re: [CVE-2014-6271] Update the Bash package ASAP

#50 2014-09-30 21:29:15

Re: [CVE-2014-6271] Update the Bash package ASAP

Board footer