SEARCH

Enter your search query in the box above ^, or use the forum search tool.

You are not logged in.

#51 2014-09-30 22:17:07

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

^ Then wait until it aligns itself with the Earth's magnetic field & use the least intrusive end  big_smile

EDIT: Also, you could try:

How to degauss a cat wrote:

If the cat does not respond to the above, then “self-degaussing,” in which the cat frees itself from the magnetic fields, may be worth a try. This procedure is also best conducted outdoors, as will be obvious later.

The cat is caused to lie on its side, or better, is found lying on its side of its own accord. An eyedropper is used to place two or three drops of three-percent hydrogen peroxide into whichever ear is facing the dropper. At this step, it is important not to try to restrain the cat, lest one become subject to the various contaminants the cat sheds as it leaves magnetic fields behind and joins the squirrels in the trees. Here one may notice how gracefully the cat leaps from tree to tree, once freed from the bonds of polarization, magnetic fields, and other inconveniences.

For additional help, you can also refer to this highly scientific, informational article, & if so needed, you can check out this wide array of various degaussing accessories to further assist you wink

Last edited by #!_828 (2014-09-30 22:41:53)


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

Be excellent to each other!

#52 2014-10-01 05:33:36

pvsage
Internal Affairs
From: North Carolina
Registered: 2009-10-18
Posts: 13,970

Re: [CVE-2014-6271] Update the Bash package ASAP

I'm sorry, but in what way is the current discussion relevant to "Update the Bash package ASAP"? hmm

Offline

#53 2014-10-01 11:30:16

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

^ My bad  :8 If need be, you could fork from my first degaussing post down over to an OT Degaussing thread smile


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#54 2014-10-01 18:36:15

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

Head_on_a_Stick wrote:

Just when you thought it was safe to go back to the shell:
http://web.nvd.nist.gov/view/vuln/detai … -2014-6278
Not again!
yikes

This vulnerability is now fixed (I think).
Everybody needs to run:

sudo su -c "apt-get update && apt-get upgrade"

ASAP

Offline

#55 2014-10-01 19:27:51

CSCoder4ever
BL Keyboard Troll
From: /dev/zero
Registered: 2013-09-03
Posts: 2,256

Re: [CVE-2014-6271] Update the Bash package ASAP

^ Will do... seems like my Archbook is all updated already doe. lawl.

Offline

#56 2014-10-01 20:28:33

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

Head_on_a_Stick wrote:
Head_on_a_Stick wrote:

Just when you thought it was safe to go back to the shell:
http://web.nvd.nist.gov/view/vuln/detai … -2014-6278
Not again!
yikes

This vulnerability is now fixed (I think).
Everybody needs to run:

sudo su -c "apt-get update && apt-get upgrade"

ASAP


Just did it! Whew . . . glad that's over smile Now the question is, is it safe enough to remove my tinfoil hat for a quick degaussing?


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#57 2014-10-04 23:12:16

gazpacho
#! Member
Registered: 2013-05-22
Posts: 57

Re: [CVE-2014-6271] Update the Bash package ASAP

I have one doubt about the "Shellshock".
Well, now after update/upgrade it's all right again, but, How can you know if something was changed on your computer before upgrade and resolve the bash problem?
Is there any way to check it? smile

Offline

#58 2014-10-04 23:36:18

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

Just run my update command from post #54...
I think there was another bash update this morning.

sudo su -c "apt-get update && apt-get upgrade"

Do it every week or so, just in case...
If you're really worried, switch to (eg) zsh instead:

sudo apt-get install zsh
sudo chsh -s $(which zsh)

In Debian, /bin/sh is already linked to Dash rather than BASH (not the case in, for example, Arch -- speeds up the system when running scripts with a /bin/sh shebang) so this will theoretically stop your system using BASH entirely.

Offline

#59 2014-10-05 00:23:16

pvsage
Internal Affairs
From: North Carolina
Registered: 2009-10-18
Posts: 13,970

Re: [CVE-2014-6271] Update the Bash package ASAP

gazpacho wrote:

I have one doubt about the "Shellshock".
Well, now after update/upgrade it's all right again, but, How can you know if something was changed on your computer before upgrade and resolve the bash problem?
Is there any way to check it? smile

I would also like to know this.  If DHCP clients allow a way in, then many more of us were vulnerable than I initially thought.  (I'm still not wearing any unstylish giant hat, aluminum foil or otherwise. tongue )

Offline

#60 2014-10-05 00:29:04

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

@pvsage -- that shouldn't effect Debian installations: /bin/sh is not linked to BASH so shell scripts are run via dash instead...
wink

Offline

#61 2014-10-05 00:55:46

gazpacho
#! Member
Registered: 2013-05-22
Posts: 57

Re: [CVE-2014-6271] Update the Bash package ASAP

pvsage wrote:

I'm still not wearing any unstylish giant hat, aluminum foil or otherwise. tongue

lol

Ah... Thanks Head_on_a_Stick

Last edited by gazpacho (2014-10-05 01:09:15)

Offline

#62 2014-10-05 13:24:41

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

pvsage wrote:

I'm still not wearing any unstylish giant hat, aluminum foil or otherwise. tongue

Compared to other headwear out there, the (U)#!ETHDC standard issue Tinfoil Hat isn't that bulky, & I, for one, haven't taken mine off since this whole thing began (except, of course, for routine maintenance & degaussing) big_smile

Last edited by #!_828 (2014-10-05 13:25:47)


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#63 2014-10-05 16:40:52

gazpacho
#! Member
Registered: 2013-05-22
Posts: 57

Re: [CVE-2014-6271] Update the Bash package ASAP

Please, I have another doubt about this topic.
Imagine that someone gained access to your computer using this vulnerability.
Once applied the patch you'd be out of danger or an intruder could have changed something that continues to function even after?
just curious...I'm still a novice with linux 8o

Offline

#64 2014-10-05 19:54:09

twoion
Moderator
Registered: 2012-05-11
Posts: 1,648

Re: [CVE-2014-6271] Update the Bash package ASAP

The scope of changes that could have been made to your system depends on your local configuration and is much to broad to discuss with incomplete information. The discussion would degrade into non-sensical guessing and speculation, yielding no results.

Regarding changes that rely on the bash bug however: Reboot your system or restart all processes that use /bin/bash. Reason is that any running instance of bash that was started before the replacing of /bin/bash with a fixed binary is still running the old bash code it has been started with.


Tannhäuser ~ {www,pkg,ddl}.bunsenlabs.org/{gitlog,repoidx}

Offline

#65 2014-10-05 20:15:26

gazpacho
#! Member
Registered: 2013-05-22
Posts: 57

Re: [CVE-2014-6271] Update the Bash package ASAP

Thanks twoion.
When you talk about reboot the system you mean a simple reboot, for example from cb-exit?
I understand that this is something that can affect more to a computer that is always on,  like a server, right?

Offline

#66 2014-10-05 20:35:54

twoion
Moderator
Registered: 2012-05-11
Posts: 1,648

Re: [CVE-2014-6271] Update the Bash package ASAP

^ Correct, sysadmins who could afford it have probably already restarted systems that were affected. And yes, this is about a simple reboot, nothing big.


Tannhäuser ~ {www,pkg,ddl}.bunsenlabs.org/{gitlog,repoidx}

Offline

#67 2014-10-05 20:46:23

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

gazpacho wrote:

Imagine that someone gained access to your computer using this vulnerability.
Once applied the patch you'd be out of danger or an intruder could have changed something that continues to function even after?

In general, the reason why this vulnerability ends at the patch & why Linux doesn't need anti-virus software is because nobody, & no program, can make changes to system files (anything outside of the /home folder) without an authorized root password. That's just how Unix was designed


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#68 2014-10-06 09:44:14

gazpacho
#! Member
Registered: 2013-05-22
Posts: 57

Re: [CVE-2014-6271] Update the Bash package ASAP

That's something I've never understood about linux.
If you haven't the root password you can't change the system files, only the home folder content. But if someone puts a program on an user home folder for record all the keyboard inputs, could get the root password and then change the system, right?
I don't log-in like root, but when I update/upgrade (for example) I need make a sudo.

Offline

#69 2014-10-06 13:54:23

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

^ Any programs that could be set to run automatically would require an executable binary to be placed in /usr/bin, in addition to an activation script that could be hidden in your home folder (& probably other scripts & binaries in other parts of the root file system). However, with physical access to the machine, anything is possible, but that's really not relevant to the issue at hand.

If it's keeping you up at night, just make sure you get bash patched up, then change the root password smile


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#70 2014-10-06 16:40:57

gazpacho
#! Member
Registered: 2013-05-22
Posts: 57

Re: [CVE-2014-6271] Update the Bash package ASAP

Thanks, after apply the patch I'm not really worried with the bash problem, just wanted to know more about security in linux.
I remember one day when I was recommending linux to a friend, partly for security (although for me it is more an ideological issue) because he always had problems with windows, but when he asked me something similar I could not answer.
Anyway, as I said, thank you very much for the help especially knowing that I have strayed a bit from the main topic of this post.

Offline

#71 2014-10-06 17:12:08

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

No problem, they were interesting questions.

Because vulnerabilities like this are exceedingly rare, & the kernel (of both Linux &other open Unix-like OS's) is so well established & constantly being monitored, any effort to find a way to make a windows-style virus to spread & infect Linux would really just be an exercise in futility. Therefore, most malignant hackers just target inept, unenlightened Windows users wink


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#72 2014-10-07 13:57:49

kosmos890
#! Member
Registered: 2012-05-01
Posts: 76

Re: [CVE-2014-6271] Update the Bash package ASAP

I can't update bash. Please help me.

km@km:~$ bash -version
GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

My sources.list

## CRUNCHBANG
## Compatible with Debian Wheezy, but use at your own risk.
deb http://packages.crunchbang.org/waldorf waldorf main
# deb-src http://packages.crunchbang.org/waldorf waldorf main
## DEBIAN
deb http://http.debian.net/debian wheezy main contrib non-free
# deb-src http://http.debian.net/debian wheezy main contrib non-free
## DEBIAN SECURITY
deb http://security.debian.org/ wheezy/updates main
# deb-src http://security.debian.org/ wheezy/updates main
#Install latest version of Iceweasel
# deb http://mozilla.debian.net/ wheezy-backports iceweasel-release
#PostgreSQL 
# deb http://apt.postgresql.org/pub/repos/apt/ precise-pgdg main
km@km:~$ sudo su -c "apt-get update && apt-get upgrade"
Hit http://packages.crunchbang.org waldorf Release.gpg
Ign http://ppa.launchpad.net wheezy Release.gpg                                            
Hit http://security.debian.org wheezy/updates Release.gpg                                              
Hit http://apt.postgresql.org wheezy-pgdg Release.gpg                                                  
Hit http://packages.crunchbang.org waldorf Release                                                                       
Ign http://ppa.launchpad.net wheezy Release.gpg                                                                                                 
Hit http://http.debian.net wheezy Release.gpg                                                                            
Hit http://security.debian.org wheezy/updates Release                                                                    
Hit http://packages.crunchbang.org waldorf/main amd64 Packages                                                                                 
Ign http://ppa.launchpad.net wheezy Release                                                                              
Hit http://security.debian.org wheezy/updates/main amd64 Packages                                                        
Hit http://packages.crunchbang.org waldorf/main i386 Packages                              
Ign http://ppa.launchpad.net wheezy Release                                                
Hit http://http.debian.net wheezy Release                                                  
Hit http://apt.postgresql.org wheezy-pgdg Release                                                                
Hit http://security.debian.org wheezy/updates/main i386 Packages                                                  
Hit http://http.debian.net wheezy/main amd64 Packages                                                                    
Hit http://security.debian.org wheezy/updates/main Translation-en                                                        
Hit http://apt.postgresql.org wheezy-pgdg/main amd64 Packages                                                                                  
Hit http://http.debian.net wheezy/contrib amd64 Packages                                                                                       
Hit http://http.debian.net wheezy/non-free amd64 Packages                                                                
Hit http://http.debian.net wheezy/main i386 Packages                                                                     
Hit http://apt.postgresql.org wheezy-pgdg/main i386 Packages                                       
Hit http://http.debian.net wheezy/contrib i386 Packages                                    
Hit http://http.debian.net wheezy/non-free i386 Packages                                                                 
Hit http://http.debian.net wheezy/contrib Translation-en                                                                 
Ign http://packages.crunchbang.org waldorf/main Translation-en_US                          
Hit http://http.debian.net wheezy/main Translation-en                                      
Hit http://http.debian.net wheezy/non-free Translation-en                                  
Ign http://packages.crunchbang.org waldorf/main Translation-en       
Ign http://apt.postgresql.org wheezy-pgdg/main Translation-en_US     
Ign http://apt.postgresql.org wheezy-pgdg/main Translation-en
Err http://ppa.launchpad.net wheezy/main Sources
  404  Not Found
Err http://ppa.launchpad.net wheezy/main amd64 Packages
  404  Not Found
Err http://ppa.launchpad.net wheezy/main i386 Packages
  404  Not Found
Ign http://ppa.launchpad.net wheezy/main Translation-en_US
Ign http://ppa.launchpad.net wheezy/main Translation-en
Err http://ppa.launchpad.net wheezy/main Sources
  404  Not Found
Err http://ppa.launchpad.net wheezy/main amd64 Packages
  404  Not Found
Err http://ppa.launchpad.net wheezy/main i386 Packages
  404  Not Found
Ign http://ppa.launchpad.net wheezy/main Translation-en_US
Ign http://ppa.launchpad.net wheezy/main Translation-en
W: Failed to fetch http://ppa.launchpad.net/tsbarnes/indicator-keylock/ubuntu/dists/wheezy/main/source/Sources  404  Not Found

W: Failed to fetch http://ppa.launchpad.net/tsbarnes/indicator-keylock/ubuntu/dists/wheezy/main/binary-amd64/Packages  404  Not Found

W: Failed to fetch http://ppa.launchpad.net/tsbarnes/indicator-keylock/ubuntu/dists/wheezy/main/binary-i386/Packages  404  Not Found

W: Failed to fetch http://ppa.launchpad.net/ubuntugis/ppa/ubuntu/dists/wheezy/main/source/Sources  404  Not Found

W: Failed to fetch http://ppa.launchpad.net/ubuntugis/ppa/ubuntu/dists/wheezy/main/binary-amd64/Packages  404  Not Found

W: Failed to fetch http://ppa.launchpad.net/ubuntugis/ppa/ubuntu/dists/wheezy/main/binary-i386/Packages  404  Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.

Offline

#73 2014-10-07 15:57:00

damo
#! gimpbanger
From: N51.5 W002.8 (mostly)
Registered: 2011-11-24
Posts: 5,434

Re: [CVE-2014-6271] Update the Bash package ASAP

Ooops, whose been mixing 'buntu sources into his Debian system?

Did you try

sudo apt-get install --reinstall bash

BunsenLabs Group on deviantArt
damo's gallery on deviantArt
Openbox themes
Forum Moderator smile

Offline

#74 2014-10-07 16:05:27

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

kosmos890 wrote:

I can't update bash. Please help me.

What files do you have in: /etc/apt/sources.list.d

You have "launchpad" in there someplace ... not comparable with #!

try a command a bit more simple:

sudo apt-get update

if that works without error try:

sudo apt-get dist-upgrade --no-install-recommends

EDIT:
ninja'd by damo!
----------------------
also with these in there:

Hit http://apt.postgresql.org wheezy-pgdg/main amd64 Packages   
Hit http://apt.postgresql.org wheezy-pgdg/main i386 Packages 
Ign http://apt.postgresql.org wheezy-pgdg/main Translation-en_US     
Ign http://apt.postgresql.org wheezy-pgdg/main Translation-en

I have to ask - are you running a 23 or 64 bit system?


·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

Be excellent to each other!

#75 2014-10-07 16:35:39

kosmos890
#! Member
Registered: 2012-05-01
Posts: 76

Re: [CVE-2014-6271] Update the Bash package ASAP

@gimpbanger
Thanks for your reply

gimpbanger wrote:

Ooops, whose been mixing 'buntu sources into his Debian system?

Can you help me to fix sources.list?
I am not sure which line to comment out.

gimpbanger wrote:

Did you try

sudo apt-get install --reinstall bash

Yes but I have again the same version of bash (4.2.37)

@77345
Thanks for your reply

77345 wrote:

What files do you have in: /etc/apt/sources.list.d

km@km:/etc/apt/sources.list.d$ ls
pgdg.list       tsbarnes-indicator-keylock-wheezy.list       ubuntugis-ppa-wheezy.list
pgdg.list.save  tsbarnes-indicator-keylock-wheezy.list.save  ubuntugis-ppa-wheezy.list.save

tsbarnes-indicator-keylock-wheezy.list : This package is required for a keylock indicator.
ubuntugis-ppa-wheezy.list : This package is required for the GIS Cartaro
Unfortunately Ι can't install these packages and I can remove them.

77345 wrote:

Did you try

sudo apt-get update

I have the same error messages.

77345 wrote:

I have to ask - are you running a 23 or 64 bit system?

I am running a 64 bit system.

Offline

Board footer

Powered by FluxBB

Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.
Server: acrobat

Debian Logo