SEARCH

Enter your search query in the box above ^, or use the forum search tool.

You are not logged in.

#26 2014-09-27 06:19:10

pvsage
Internal Affairs
From: North Carolina
Registered: 2009-10-18
Posts: 13,970

Re: [CVE-2014-6271] Update the Bash package ASAP

#!_828 wrote:

My favorite was in the beginning, "Another computer bug out there that could eat your software, the new bug is called 'Brash' [sic], it's called the 'Bash-bug,' the bug known as 'Bash'. Also at 00:24, "It is called the 'Bash-bug' and it lets someone hack every device in your house . . ."  lol  lol  lol

OK, I'm calling Poe's Law on this one.  Next they'll claim it can cause your toaster to explode and give your daughter herpes.

Offline

Help fund CrunchBang, donate to the project!

#27 2014-09-27 09:49:37

mariannemarlow
#! Die Hard
From: My flat, London, England
Registered: 2012-06-03
Posts: 2,246
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

Can I be a total dunce and ask what I need to do to update bash?

I got the

vulnerable
this is a test


Between two evils, I always pick the one I never tried before ~ Mae West

Offline

#28 2014-09-27 10:15:28

Forthy
#! CrunchBanger
Registered: 2012-01-16
Posts: 226

Re: [CVE-2014-6271] Update the Bash package ASAP

Sudo apt-get update & & Sudo apt-get upgrade

Offline

#29 2014-09-27 10:19:06

pvsage
Internal Affairs
From: North Carolina
Registered: 2009-10-18
Posts: 13,970

Re: [CVE-2014-6271] Update the Bash package ASAP

@mariannemarlow:  Not a total dunce, and by the way, it's always nice to hear from our Budgie Queen. 8o

If you have a relatively normal /etc/apt/sources.list for CrunchBang Waldorf (nothing beyond Waldorf, Wheezy, Wheezy security updates, and Wheezy backports), `sudo apt-get update && sudo apt-get upgrade` should handle it.

EDIT: ninja'd. mad  lol

Last edited by pvsage (2014-09-27 10:20:36)

Offline

#30 2014-09-27 10:21:11

mariannemarlow
#! Die Hard
From: My flat, London, England
Registered: 2012-06-03
Posts: 2,246
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

Forthy wrote:

Sudo apt-get update & & Sudo apt-get upgrade

Thank you  smile

I do update once a week but will now upgrade..

p.s. what is the difference between dist-upgrade and upgrade?


Between two evils, I always pick the one I never tried before ~ Mae West

Offline

#31 2014-09-27 10:26:42

pvsage
Internal Affairs
From: North Carolina
Registered: 2009-10-18
Posts: 13,970

Re: [CVE-2014-6271] Update the Bash package ASAP

"update" just verifies your local APT database against the one in the repo; it doesn't make any changes to installed packages.
"upgrade" upgrades what packages it can without removing or obsolescing any other packages.  This sometimes results in packages being "held back" because of conflicts.
"dist-upgrade" upgrades packages and can remove packages that will cause conflicts with newer versions.

Offline

#32 2014-09-27 10:28:16

mariannemarlow
#! Die Hard
From: My flat, London, England
Registered: 2012-06-03
Posts: 2,246
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

pvsage wrote:

@mariannemarlow:  Not a total dunce, and by the way, it's always nice to hear from our Budgie Queen. 8o

If you have a relatively normal /etc/apt/sources.list for CrunchBang Waldorf (nothing beyond Waldorf, Wheezy, Wheezy security updates, and Wheezy backports), `sudo apt-get update && sudo apt-get upgrade` should handle it.

EDIT: ninja'd. mad  lol

@pvsage: Thank you. smile

My sources list is pretty basic yes.

It's the thought that counts, thanks for replying!


Between two evils, I always pick the one I never tried before ~ Mae West

Offline

#33 2014-09-27 10:29:21

mariannemarlow
#! Die Hard
From: My flat, London, England
Registered: 2012-06-03
Posts: 2,246
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

pvsage wrote:

"update" just verifies your local APT database against the one in the repo; it doesn't make any changes to installed packages.
"upgrade" upgrades what packages it can without removing or obsolescing any other packages.  This sometimes results in packages being "held back" because of conflicts.
"dist-upgrade" upgrades packages and can remove packages that will cause conflicts with newer versions.

@pvsage: Thanks for the explanation smile


Between two evils, I always pick the one I never tried before ~ Mae West

Offline

#34 2014-09-27 10:33:29

pvsage
Internal Affairs
From: North Carolina
Registered: 2009-10-18
Posts: 13,970

Re: [CVE-2014-6271] Update the Bash package ASAP

^ Just call me King of the Elevator Pitch. cool  Wait till you hear my explanation of the Theory of Narrative Causality.

This just happened because, if it hadn't happened, there wouldn't be much of a story.

Offline

#35 2014-09-27 11:03:37

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

From my Debian Sid:

empty@Debian:~$ cd /tmp && rm -f /tmp/echo && env 'x=() { :;}; echo vulnerable' 'f=() { (a)=>\' bash -c 'echo echo vulnerable'; cat echo
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash: f: line 1: syntax error near unexpected token `='
bash: f: line 1: `'
bash: error importing function definition for `f'
vulnerable
empty@Debian:/tmp$ echo vulnerable

Updating the system now, I may be some time...

The following packages will be upgraded:
  anacron *bash* clearlooks-phenix-theme devscripts dmsetup gir1.2-atk-1.0 grub-common 
  grub-efi grub-efi-amd64 grub-efi-amd64-bin grub2-common gzip kmod libatk1.0-0 
  libatk1.0-data libdevmapper-event1.02.1 libdevmapper1.02.1 libjack-jackd2-0 
  libjpeg-progs libkmod2 libksba8 libllvm3.4 liblvm2app2.2 module-init-tools 
  task-english task-laptop tasksel tasksel-data 

sad

Last edited by Head_on_a_Stick (2014-09-27 11:05:59)

Offline

#36 2014-09-27 11:38:54

twoion
Moderator
Registered: 2012-05-11
Posts: 1,648

Re: [CVE-2014-6271] Update the Bash package ASAP

^ Try harder ^^

965 upgraded, 60 newly installed, 21 to remove and 14 not upgraded.

Tannhäuser ~ {www,pkg,ddl}.bunsenlabs.org/{gitlog,repoidx}

Offline

#37 2014-09-27 11:42:10

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

965?!
Well done sir!
big_smile

Offline

#38 2014-09-27 12:15:58

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

@ twoion

↑965 +60 -21 and ~14 <--- is that a fresh install?


·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

#39 2014-09-27 12:24:45

twoion
Moderator
Registered: 2012-05-11
Posts: 1,648

Re: [CVE-2014-6271] Update the Bash package ASAP

Na, just the regular Unstable pile over one month. I know that there are too many -dev packages and libraries I haven't needed in years, but I am too lazy to clean up sad

The install itself is now about 2.5 years old.


Tannhäuser ~ {www,pkg,ddl}.bunsenlabs.org/{gitlog,repoidx}

Offline

#40 2014-09-27 12:31:10

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

twoion wrote:

Na, just the regular Unstable pile over one month.

How can you do that?
Thanks to Arch, I now have upgrade OCD -- at least twice a day for me...
]:D

Offline

#41 2014-09-27 12:36:36

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

Debian Sid is now fixed (for the 4 exploits listed so far):

empty@Debian ~ % cd /tmp && rm -f /tmp/echo && env 'x=() { :;}; echo vulnerable' 'f=() { (
a)=>\' bash -c 'echo echo vulnerable'; cat echo
echo vulnerable
cat: echo: No such file or directory

Job's a good 'un big_smile

Last edited by Head_on_a_Stick (2014-09-27 12:37:07)

Offline

#42 2014-09-27 12:52:39

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

Head_on_a_Stick wrote:
twoion wrote:

Na, just the regular Unstable pile over one month.

How can you do that?
Thanks to Arch, I now have upgrade OCD -- at least twice a day for me...
]:D

I hear you.  When I ran SID I did update/dist-upgrade at least once a day.


·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

#43 2014-09-27 13:11:19

twoion
Moderator
Registered: 2012-05-11
Posts: 1,648

Re: [CVE-2014-6271] Update the Bash package ASAP

Sector11 wrote:
Head_on_a_Stick wrote:
twoion wrote:

Na, just the regular Unstable pile over one month.

How can you do that?
Thanks to Arch, I now have upgrade OCD -- at least twice a day for me...
]:D

I hear you.  When I ran SID I did update/dist-upgrade at least once a day.

I fared quite well. When something broke, I rarely couldn't fix it.  Albeit it truly is exciting:

0) $ apt-get dist-upgrade -d && check if there's actually a clean upgrade path open big_smile
a) prepare hot beverage and pen+paper in case everything is going wrong
b) backup all the things
c) switch to tty, login as root (sweaty hands at this point)
d) start a tmux session (for scrollback!)
d) stop X
e) stop/kill all services
f) # apt-get dist-upgrade
e) apt-listbugs says danger? -> work out a away around deadly bugs. Or stop.
f) 20 minutes pure action
g) enter reboot command, cross fingers


Tannhäuser ~ {www,pkg,ddl}.bunsenlabs.org/{gitlog,repoidx}

Offline

#44 2014-09-27 13:20:40

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

twoion wrote:

I fared quite well. When something broke, I rarely couldn't fix it.  Albeit it truly is exciting:

AAAA HA!  So that's where I went wrong ... I got "cross fingers" stuck someplace between "prepare hot beverage" and "switch to tty".  No wonder some of those commands looked like a cat on catnip was doing the typing.   lol  lol


·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

#45 2014-09-27 14:47:34

photonucleon
Quantum Geek
From: Hogwarts
Registered: 2013-06-10
Posts: 952

Re: [CVE-2014-6271] Update the Bash package ASAP

This post from the #! forums en France is quite cool  cool


- Ai! Aníron Undómiel. -
- Some things are certain. -
- Et Eärello Endorenna utúlien. Sinome maruvan ar Hildinyar tenn' Ambar-metta. -

Offline

#46 2014-09-30 20:59:47

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

Just when you thought it was safe to go back to the shell:
http://web.nvd.nist.gov/view/vuln/detai … -2014-6278
Not again!
yikes

Offline

#47 2014-09-30 21:14:41

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

^Awwww, s**t  neutral  But hey, maybe as the #! Cat, a little degaussing will help you out  wink


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#48 2014-09-30 21:21:56

CSCoder4ever
BL Keyboard Troll
From: /dev/zero
Registered: 2013-09-03
Posts: 2,256

Re: [CVE-2014-6271] Update the Bash package ASAP

Time to switch to the BSD's?  O:)

Offline

#49 2014-09-30 21:26:58

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

^ Maybe try degaussing your mechanical keyboards, too  smile

Last edited by #!_828 (2014-09-30 21:27:10)


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

Help fund CrunchBang, donate to the project!

#50 2014-09-30 21:29:15

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

#!_828 wrote:

^Awwww, s**t  neutral  But hey, maybe as the #! Cat, a little degaussing will help you out  wink

Great link thank you!
big_smile

How to degauss a cat wrote:

First: Take the cat outside and coil a lightweight copper or aluminum wire loosely around it, beginning at whichever end the cat prefers, or allows.

My cat neither allowed nor preferred either end...
hmm

Offline

Board footer

Powered by FluxBB

Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.
Server: acrobat

Debian Logo