SEARCH

Enter your search query in the box above ^, or use the forum search tool.

You are not logged in.

#76 2014-10-07 17:32:57

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

kosmos890 wrote:
km@km:/etc/apt/sources.list.d$ ls
pgdg.list       tsbarnes-indicator-keylock-wheezy.list       ubuntugis-ppa-wheezy.list
pgdg.list.save  tsbarnes-indicator-keylock-wheezy.list.save  ubuntugis-ppa-wheezy.list.save
tsbarnes-indicator-keylock-wheezy.list : This package is required for a keylock indicator.
ubuntugis-ppa-wheezy.list : This package is required for the GIS [url=http://cartaro.org]Cartaro[/url]

Unfortunately Ι can't install these packages and I can remove them.

Actually you can remove them and should remove them.  They are for Ubuntu and not recommended in Debian for reasons you are experiencing.

Start with renaming them:

/etc/apt/sources.list.d/pgdg.list_XXX
/etc/apt/sources.list.d/pgdg.list.save_XXX
/etc/apt/sources.list.d/tsbarnes-indicator-keylock-wheezy.list_XXX
/etc/apt/sources.list.d/ubuntugis-ppa-wheezy.list_XXX

Then run this again:

sudo apt-get update

if that works without error try:

sudo apt-get dist-upgrade --no-install-recommends

If that works delete the files that end in "_XXX" above.


·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

Be excellent to each other!

#77 2014-10-07 17:55:28

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

@ kosmos890

and anyone else who cares to know

The difference between Names and Titles
We are not our "Titles"

  • damo is not #! gimpbanger

  • Sector11 is not 77345 ¡# and

  • kosmos890 is not #! Member

2014_10_07_14_53_15_476x172_Sector11.jpg


·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

#78 2014-10-08 17:33:53

kosmos890
#! Member
Registered: 2012-05-01
Posts: 76

Re: [CVE-2014-6271] Update the Bash package ASAP

Sector11 wrote:

We are not our "Titles"

I apologise for my silly mistake.

I removed all ubuntu packages from sources.list.d
Then I ran sudo apt-get update and sudo apt-get dist-upgrade --no-install-recommends.
The system was upgraded.
But the version of bash is still 4.2.37.

km@km:~$ sudo apt-get update
Hit http://security.debian.org wheezy/updates Release.gpg                                     
Hit http://http.debian.net wheezy Release.gpg                                                 
Hit http://packages.crunchbang.org waldorf Release.gpg
Hit http://security.debian.org wheezy/updates Release
Hit http://packages.crunchbang.org waldorf Release                                                 
Hit http://http.debian.net wheezy Release                                    
Hit http://security.debian.org wheezy/updates/main amd64 Packages    
Hit http://packages.crunchbang.org waldorf/main amd64 Packages                           
Hit http://security.debian.org wheezy/updates/main i386 Packages      
Hit http://packages.crunchbang.org waldorf/main i386 Packages                                                  
Hit http://http.debian.net wheezy/main amd64 Packages                                                          
Hit http://security.debian.org wheezy/updates/main Translation-en                         
Hit http://http.debian.net wheezy/contrib amd64 Packages                                 
Hit http://http.debian.net wheezy/non-free amd64 Packages                                
Hit http://http.debian.net wheezy/main i386 Packages               
Hit http://http.debian.net wheezy/contrib i386 Packages            
Hit http://http.debian.net wheezy/non-free i386 Packages           
Hit http://http.debian.net wheezy/contrib Translation-en           
Hit http://http.debian.net wheezy/main Translation-en              
Hit http://http.debian.net wheezy/non-free Translation-en               
Ign http://packages.crunchbang.org waldorf/main Translation-en_US 
Ign http://packages.crunchbang.org waldorf/main Translation-en
Reading package lists... Done
km@km:~$ sudo apt-get dist-upgrade --no-install-recommends
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
km@km:~$ bash -version
GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Offline

#79 2014-10-08 17:54:45

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

@kosmos890: What is the output of:

apt-cache policy bash

Offline

#80 2014-10-08 19:18:58

gazpacho
#! Member
Registered: 2013-05-22
Posts: 57

Re: [CVE-2014-6271] Update the Bash package ASAP

I don't understand.
Isn't the 4.2.37(1) the more updated bash version on wheezy??
I have the same version after upgrade the bash.

Offline

#81 2014-10-08 20:29:47

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

Yes it is, there are a couple of ways to get the version:

 08 Oct 14 | 17:25:08 ~
    $ apt-cache policy bash
bash:
  Installed: 4.2+dfsg-0.1+deb7u3
  Candidate: 4.2+dfsg-0.1+deb7u3
  Version table:
 *** 4.2+dfsg-0.1+deb7u3 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     4.2+dfsg-0.1 0
        500 http://http.debian.net/debian/ wheezy/main amd64 Packages
 
 08 Oct 14 | 17:25:29 ~
    $ bash --version
GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
 
 08 Oct 14 | 17:25:49 ~
    $ 

And then a test:

 08 Oct 14 | 17:25:49 ~
    $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
 
 08 Oct 14 | 17:28:05 ~
    $ 

If you see "this is a test" you're safe!


·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

#82 2014-10-08 20:37:39

Head_on_a_Stick
CatMod
From: A world of pure imagination
Registered: 2014-01-21
Posts: 4,797

Re: [CVE-2014-6271] Update the Bash package ASAP

Sector11 wrote:

And then a test:

 08 Oct 14 | 17:25:49 ~
    $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
 
 08 Oct 14 | 17:28:05 ~
    $ 

If you see "this is a test" you're safe!

That's just for the first vulnerability -- there were four more discovered (2 were a result of the rushed first patch)...
As long as you have the version listed in @Sector11's post you are covered.
smile

Offline

#83 2014-10-08 21:04:32

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

Head_on_a_Stick wrote:
Sector11 wrote:

If you see "this is a test" you're safe!

That's just for the first vulnerability -- there were four more discovered (2 were a result of the rushed first patch)...
As long as you have the version listed in @Sector11's post you are covered.
smile

OHOH!  I didn't know that ... thank you.
Live and learn something new!   wink


·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

#84 2014-10-08 21:27:53

gazpacho
#! Member
Registered: 2013-05-22
Posts: 57

Re: [CVE-2014-6271] Update the Bash package ASAP

I read about the other vulnerabilities and made some test for check.
But I said that about the 4.2.37 because Kosmos890 says can't update the bash, but already has the last version...right?

Offline

#85 2014-10-08 22:03:12

pvsage
Internal Affairs
From: North Carolina
Registered: 2009-10-18
Posts: 13,970

Re: [CVE-2014-6271] Update the Bash package ASAP

@gazpacho: http://crunchbang.org/forums/viewtopic. … 79#p398579
If you see +deb7u3, you're up-to-date.

Offline

#86 2014-10-08 22:18:50

gazpacho
#! Member
Registered: 2013-05-22
Posts: 57

Re: [CVE-2014-6271] Update the Bash package ASAP

Yes, thanks, I'm not talking about me, I have the last bash version for wheezy and if I'm not wrong is the same that have Kosmos890.
That's why I do not understand why Kosmos890 says can not update. Am I missing something?

Offline

#87 2014-10-09 01:54:59

seraphtrend
#! CrunchBanger
From: Florida
Registered: 2011-12-03
Posts: 100

Re: [CVE-2014-6271] Update the Bash package ASAP

Safe here thanks to this great comunity  smile

Offline

#88 2014-10-09 11:04:10

gazpacho
#! Member
Registered: 2013-05-22
Posts: 57

Re: [CVE-2014-6271] Update the Bash package ASAP

Yes, that's true. I have not much experience here, but have always received good responses and good vibes.

Offline

#89 2014-10-09 15:20:04

kosmos890
#! Member
Registered: 2012-05-01
Posts: 76

Re: [CVE-2014-6271] Update the Bash package ASAP

Thanks all for your replies.

@Head_on_a_Stick

km@km:~$ apt-cache policy bash
bash:
  Installed: 4.2+dfsg-0.1+deb7u3
  Candidate: 4.2+dfsg-0.1+deb7u3
  Version table:
 *** 4.2+dfsg-0.1+deb7u3 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     4.2+dfsg-0.1 0
        500 http://http.debian.net/debian/ wheezy/main amd64 Packages

It seems that now I have the secure version of bash 4.2+dfsg-0.1+deb7u3 as I read  here.

I do not know which test to use

Head_on_a_Stick's post#6

km@km:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

Sector11's post#11

km@km:~$ x='() { :;}; echo "VULNERABLE"' bash -c "echo this is a test"
this is a test
km@km:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
pvsage wrote:

If you see +deb7u3, you're up-to-date.

Am I safe now ?

Sorry for all these questions but I'm not experienced user.

Offline

#90 2014-10-09 21:23:50

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

^ I've also had unexpected results trying these tests, so just to simply reiterate, if the output of apt-cache policy bash appears as follows:

Username@Hostname:~$ apt-cache policy bash
bash:
  Installed: 4.2+dfsg-0.1+deb7u3
[etc.]

then you're fine  wink

Last edited by #!_828 (2014-10-09 21:24:50)


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#91 2014-10-09 23:52:49

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

kosmos890 wrote:

Am I safe now ?

Yes!


·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

#92 2014-10-10 00:11:48

damo
#! gimpbanger
From: N51.5 W002.8 (mostly)
Registered: 2011-11-24
Posts: 5,434

Re: [CVE-2014-6271] Update the Bash package ASAP

Sector11 wrote:
kosmos890 wrote:

Am I safe now ?

Yes!

Only if you wear a tinfoil hat and hide under a table


BunsenLabs Group on deviantArt
damo's gallery on deviantArt
Openbox themes
Forum Moderator smile

Offline

#93 2014-10-10 00:45:00

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

damo wrote:
Sector11 wrote:
kosmos890 wrote:

Am I safe now ?

Yes!

Only if you wear a tinfoil hat and hide under a table

I second that tinfoil hat part big_smile With that, the table is really not necessary (just be sure to degauss said tinfoil hat regularly) wink

Last edited by #!_828 (2014-10-10 00:45:43)


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#94 2014-10-10 06:04:28

pvsage
Internal Affairs
From: North Carolina
Registered: 2009-10-18
Posts: 13,970

Re: [CVE-2014-6271] Update the Bash package ASAP

damo wrote:
Sector11 wrote:
kosmos890 wrote:

Am I safe now ?

Yes!

Only if you wear a tinfoil hat and hide under a table

Not even.  You're only safe if you're in a bunker with 6 feet of concrete in every direction, plus a lead roof at least a foot thick...in case somebody set up us The Bomb.  Of course, then you have to worry about that lead leeching into your water supply. tongue  (Wasn't sure which way to go with this.  Would "because The Bomb" have been funnier than the Zero Wing reference?  "Because {noun}" seems to be what has the kids LingOL these days.)

...but as far as Shellshock is concerned, yes, you are safe.

Offline

#95 2014-10-10 11:48:09

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

^That's how Mr. Brown got arrested at the airport. He went to meet some people flying in, & brought a cake with him. When asked by the TSA, "What's in the box?" He replied "Man, you gotta try some of this, man, it's da bomb!"  lol


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#96 2014-10-10 13:26:05

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-6271] Update the Bash package ASAP

lol  lol  lol   That's like yellin' "Hi Jack! Over here!" as your uncle Jack comes through the debarkation doors at the airport...

Say what?  Going where? Waddido? Waddido? Get yur hands off me! HELP! MARTHAAAA!!!  lol  lol


·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

#97 2014-10-10 13:35:44

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-6271] Update the Bash package ASAP

That was an argument one of my old history teachers used to refute that there was any kind of protection of free speech in America, that it's illegal to say 'hi' to his son in an airport (his name is also Jack) lol


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

Board footer

Powered by FluxBB

Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.
Server: acrobat

Debian Logo