[CVE-2014-6271] Update the Bash package ASAP

Sector11 · 2014-10-07 17:32:57

kosmos890 wrote:

km@km:/etc/apt/sources.list.d$ ls
pgdg.list       tsbarnes-indicator-keylock-wheezy.list       ubuntugis-ppa-wheezy.list
pgdg.list.save  tsbarnes-indicator-keylock-wheezy.list.save  ubuntugis-ppa-wheezy.list.save
tsbarnes-indicator-keylock-wheezy.list : This package is required for a keylock indicator.
ubuntugis-ppa-wheezy.list : This package is required for the GIS [url=http://cartaro.org]Cartaro[/url]

Unfortunately Ι can't install these packages and I can remove them.

Actually you can remove them and should remove them. They are for Ubuntu and not recommended in Debian for reasons you are experiencing.

Start with renaming them:

/etc/apt/sources.list.d/pgdg.list_XXX
/etc/apt/sources.list.d/pgdg.list.save_XXX
/etc/apt/sources.list.d/tsbarnes-indicator-keylock-wheezy.list_XXX
/etc/apt/sources.list.d/ubuntugis-ppa-wheezy.list_XXX

Then run this again:

sudo apt-get update

if that works without error try:

sudo apt-get dist-upgrade --no-install-recommends

If that works delete the files that end in "_XXX" above.

Sector11 · 2014-10-07 17:55:28

@ kosmos890

and anyone else who cares to know

The difference between Names and Titles
We are not our "Titles"

damo is not #! gimpbanger
Sector11 is not 77345 ¡# and
kosmos890 is not #! Member

kosmos890 · 2014-10-08 17:33:53

Sector11 wrote:

We are not our "Titles"

I apologise for my silly mistake.

I removed all ubuntu packages from sources.list.d
Then I ran sudo apt-get update and sudo apt-get dist-upgrade --no-install-recommends.
The system was upgraded.
But the version of bash is still 4.2.37.

km@km:~$ sudo apt-get update
Hit http://security.debian.org wheezy/updates Release.gpg                                     
Hit http://http.debian.net wheezy Release.gpg                                                 
Hit http://packages.crunchbang.org waldorf Release.gpg
Hit http://security.debian.org wheezy/updates Release
Hit http://packages.crunchbang.org waldorf Release                                                 
Hit http://http.debian.net wheezy Release                                    
Hit http://security.debian.org wheezy/updates/main amd64 Packages    
Hit http://packages.crunchbang.org waldorf/main amd64 Packages                           
Hit http://security.debian.org wheezy/updates/main i386 Packages      
Hit http://packages.crunchbang.org waldorf/main i386 Packages                                                  
Hit http://http.debian.net wheezy/main amd64 Packages                                                          
Hit http://security.debian.org wheezy/updates/main Translation-en                         
Hit http://http.debian.net wheezy/contrib amd64 Packages                                 
Hit http://http.debian.net wheezy/non-free amd64 Packages                                
Hit http://http.debian.net wheezy/main i386 Packages               
Hit http://http.debian.net wheezy/contrib i386 Packages            
Hit http://http.debian.net wheezy/non-free i386 Packages           
Hit http://http.debian.net wheezy/contrib Translation-en           
Hit http://http.debian.net wheezy/main Translation-en              
Hit http://http.debian.net wheezy/non-free Translation-en               
Ign http://packages.crunchbang.org waldorf/main Translation-en_US 
Ign http://packages.crunchbang.org waldorf/main Translation-en
Reading package lists... Done
km@km:~$ sudo apt-get dist-upgrade --no-install-recommends
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
km@km:~$ bash -version
GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Head_on_a_Stick · 2014-10-08 17:54:45

@kosmos890: What is the output of:

apt-cache policy bash

gazpacho · 2014-10-08 19:18:58

I don't understand.
Isn't the 4.2.37(1) the more updated bash version on wheezy??
I have the same version after upgrade the bash.

Sector11 · 2014-10-08 20:29:47

Yes it is, there are a couple of ways to get the version:

 08 Oct 14 | 17:25:08 ~
    $ apt-cache policy bash
bash:
  Installed: 4.2+dfsg-0.1+deb7u3
  Candidate: 4.2+dfsg-0.1+deb7u3
  Version table:
 *** 4.2+dfsg-0.1+deb7u3 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     4.2+dfsg-0.1 0
        500 http://http.debian.net/debian/ wheezy/main amd64 Packages
 
 08 Oct 14 | 17:25:29 ~
    $ bash --version
GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
 
 08 Oct 14 | 17:25:49 ~
    $

And then a test:

 08 Oct 14 | 17:25:49 ~
    $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
 
 08 Oct 14 | 17:28:05 ~
    $

If you see "this is a test" you're safe!

Head_on_a_Stick · 2014-10-08 20:37:39

Sector11 wrote:

And then a test:

 08 Oct 14 | 17:25:49 ~
    $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
 
 08 Oct 14 | 17:28:05 ~
    $

If you see "this is a test" you're safe!

That's just for the first vulnerability -- there were four more discovered (2 were a result of the rushed first patch)...
As long as you have the version listed in @Sector11's post you are covered.

Sector11 · 2014-10-08 21:04:32

Head_on_a_Stick wrote:

Sector11 wrote:
If you see "this is a test" you're safe!
That's just for the first vulnerability -- there were four more discovered (2 were a result of the rushed first patch)...
As long as you have the version listed in @Sector11's post you are covered.

OHOH! I didn't know that ... thank you.
Live and learn something new!

gazpacho · 2014-10-08 21:27:53

I read about the other vulnerabilities and made some test for check.
But I said that about the 4.2.37 because Kosmos890 says can't update the bash, but already has the last version...right?

pvsage · 2014-10-08 22:03:12

@gazpacho: http://crunchbang.org/forums/viewtopic. … 79#p398579
If you see +deb7u3, you're up-to-date.

gazpacho · 2014-10-08 22:18:50

Yes, thanks, I'm not talking about me, I have the last bash version for wheezy and if I'm not wrong is the same that have Kosmos890.
That's why I do not understand why Kosmos890 says can not update. Am I missing something?

seraphtrend · 2014-10-09 01:54:59

Safe here thanks to this great comunity

gazpacho · 2014-10-09 11:04:10

Yes, that's true. I have not much experience here, but have always received good responses and good vibes.

kosmos890 · 2014-10-09 15:20:04

Thanks all for your replies.

@Head_on_a_Stick

km@km:~$ apt-cache policy bash
bash:
  Installed: 4.2+dfsg-0.1+deb7u3
  Candidate: 4.2+dfsg-0.1+deb7u3
  Version table:
 *** 4.2+dfsg-0.1+deb7u3 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     4.2+dfsg-0.1 0
        500 http://http.debian.net/debian/ wheezy/main amd64 Packages

It seems that now I have the secure version of bash 4.2+dfsg-0.1+deb7u3 as I read here.

I do not know which test to use

Head_on_a_Stick's post#6

km@km:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

Sector11's post#11

km@km:~$ x='() { :;}; echo "VULNERABLE"' bash -c "echo this is a test"
this is a test
km@km:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

pvsage wrote:

If you see +deb7u3, you're up-to-date.

Am I safe now ?

Sorry for all these questions but I'm not experienced user.

#!_828 · 2014-10-09 21:23:50

^ I've also had unexpected results trying these tests, so just to simply reiterate, if the output of apt-cache policy bash appears as follows:

Username@Hostname:~$ apt-cache policy bash
bash:
  Installed: 4.2+dfsg-0.1+deb7u3
[etc.]

then you're fine

Last edited by #!_828 (2014-10-09 21:24:50)

Sector11 · 2014-10-09 23:52:49

kosmos890 wrote:

Am I safe now ?

Yes!

damo · 2014-10-10 00:11:48

Sector11 wrote:

kosmos890 wrote:
Am I safe now ?
Yes!

Only if you wear a tinfoil hat and hide under a table

#!_828 · 2014-10-10 00:45:00

damo wrote:

Sector11 wrote:
kosmos890 wrote:
Am I safe now ?
Yes!
Only if you wear a tinfoil hat and hide under a table

I second that tinfoil hat part With that, the table is really not necessary (just be sure to degauss said tinfoil hat regularly)

Last edited by #!_828 (2014-10-10 00:45:43)

pvsage · 2014-10-10 06:04:28

damo wrote:

Sector11 wrote:
kosmos890 wrote:
Am I safe now ?
Yes!
Only if you wear a tinfoil hat and hide under a table

Not even. You're only safe if you're in a bunker with 6 feet of concrete in every direction, plus a lead roof at least a foot thick...in case somebody set up us The Bomb. Of course, then you have to worry about that lead leeching into your water supply. (Wasn't sure which way to go with this. Would "because The Bomb" have been funnier than the Zero Wing reference? "Because {noun}" seems to be what has the kids LingOL these days.)

...but as far as Shellshock is concerned, yes, you are safe.

#!_828 · 2014-10-10 11:48:09

^That's how Mr. Brown got arrested at the airport. He went to meet some people flying in, & brought a cake with him. When asked by the TSA, "What's in the box?" He replied "Man, you gotta try some of this, man, it's da bomb!"

Sector11 · 2014-10-10 13:26:05

^ That's like yellin' "Hi Jack! Over here!" as your uncle Jack comes through the debarkation doors at the airport...

Say what? Going where? Waddido? Waddido? Get yur hands off me! HELP! MARTHAAAA!!!

#!_828 · 2014-10-10 13:35:44

That was an argument one of my old history teachers used to refute that there was any kind of protection of free speech in America, that it's illegal to say 'hi' to his son in an airport (his name is also Jack)

CrunchBang Linux

SEARCH

#76 2014-10-07 17:32:57

Re: [CVE-2014-6271] Update the Bash package ASAP

#77 2014-10-07 17:55:28

Re: [CVE-2014-6271] Update the Bash package ASAP

@ kosmos890

#78 2014-10-08 17:33:53

Re: [CVE-2014-6271] Update the Bash package ASAP

#79 2014-10-08 17:54:45

Re: [CVE-2014-6271] Update the Bash package ASAP

#80 2014-10-08 19:18:58

Re: [CVE-2014-6271] Update the Bash package ASAP

#81 2014-10-08 20:29:47

Re: [CVE-2014-6271] Update the Bash package ASAP

#82 2014-10-08 20:37:39

Re: [CVE-2014-6271] Update the Bash package ASAP

#83 2014-10-08 21:04:32

Re: [CVE-2014-6271] Update the Bash package ASAP

#84 2014-10-08 21:27:53

Re: [CVE-2014-6271] Update the Bash package ASAP

#85 2014-10-08 22:03:12

Re: [CVE-2014-6271] Update the Bash package ASAP

#86 2014-10-08 22:18:50

Re: [CVE-2014-6271] Update the Bash package ASAP

#87 2014-10-09 01:54:59

Re: [CVE-2014-6271] Update the Bash package ASAP

#88 2014-10-09 11:04:10

Re: [CVE-2014-6271] Update the Bash package ASAP

#89 2014-10-09 15:20:04

Re: [CVE-2014-6271] Update the Bash package ASAP

#90 2014-10-09 21:23:50

Re: [CVE-2014-6271] Update the Bash package ASAP

#91 2014-10-09 23:52:49

Re: [CVE-2014-6271] Update the Bash package ASAP

#92 2014-10-10 00:11:48

Re: [CVE-2014-6271] Update the Bash package ASAP

#93 2014-10-10 00:45:00

Re: [CVE-2014-6271] Update the Bash package ASAP

#94 2014-10-10 06:04:28

Re: [CVE-2014-6271] Update the Bash package ASAP

#95 2014-10-10 11:48:09

Re: [CVE-2014-6271] Update the Bash package ASAP

#96 2014-10-10 13:26:05

Re: [CVE-2014-6271] Update the Bash package ASAP

#97 2014-10-10 13:35:44

Re: [CVE-2014-6271] Update the Bash package ASAP

Board footer