Danstl's picture

What is the best way to handle this?

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Thanks,

Dan

Forum: 
Netrider's picture

I would like to know the same.

Let us know what needs to be done to get that patched.

Thanks

Pete

jlain's picture

Be advised that our Israeli friends are in Zone GMT+2, plus the festival of Rosh Hashanah just began!!! Shana tova, y'all!

Those of us using appliance built on Debian Squeeze, please refer to this: https://security-tracker.debian.org/tracker/CVE-2014-6271.

The fixed version (4.1-3+deb6u1) is available from the Squeeze LTS repository.

Check your version using:

dpkg -s bash | grep Version

If it replies with "4.1.3" then you are shell shocked! Read up on the following links of interest:

http://www.turnkeylinux.org/blog/extending-squeeze-security-support
https://wiki.debian.org/LTS/Using

 

 

 

Adampl's picture

I issued the following

dpkg -s bash | grep Version

and I got:

4.1-3+deb6u2

I followed http://www.turnkeylinux.org/blog/extending-squeeze-security-support

and everything went just fine. Am I vulnerable?

Jeremy Davis's picture

The bash page on the Debian security tracker shows that the Shellshock vulnerability (IIRC Shellshock was covered in CVE-2014-6277, CVE-2014-6278 and CVE-2014-7169) has been patched in bash 4.1-3+deb6u2 (Squeeze LTS).

FWIW you will note that there is a current open vulnerability (CVE-2012-3410) in the Squeeze LTS (i.e. TKL v12.x) version of bash (fixed in Wheezy/TKL v13.x). However it is noted as minor and can apparently only be exploited locally...

Jeremy Davis's picture

As the security fixed version should have been applied by TKL's auto security updates you should be good to go. To double check jlain's advice above also applies to Wheezy based appliances (i.e. TKL v13.x):

dpkg -s bash | grep Version

In v13.x/Wheezy appliances the vulnerable version is 4.2+dfsg-0.1

If you have 4.2+dfsg-0.1+deb7u1 or newer then you are good. (FWIW I have 4.2+dfsg-0.1+deb7u3 on my TKL v13.1 systems).

See also https://security-tracker.debian.org/tracker/CVE-2014-6271

Danstl's picture

Yeah, it looks like we are also good to go here - thanks auto magic update :)

Jeremy Davis's picture

Whilst 4.2+dfsg-0.1+deb7u1 does address CVE-2014-6271; the shellshock vulnerability (as it is now being called) is actually covered by 3 CVEs: CVE-2014-7169, CVE-2014-7186 & CVE-2014-7187 (see https://security-tracker.debian.org/tracker/DSA-3035-1) so to be completely safe you need to have 4.2+dfsg-0.1+deb7u3 (or newer) installed.

As I posted above, all TKL v13.1 users should be safe (due to auto security updates) but always good practice to double check! :)

Russell Alphey's picture

I have the version mentioned, but the bug is still there, at least according to this test -

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

 

If it returns the text “this is a test,” your system is vulnerable.

 

R.

 

 

Jeremy Davis's picture

My understanding is that if the response includes the word "vulnerable" then you are vulnerable, otherwise not (i.e. if it just says "this is a test" then you are NOT vulnerable).

Have a look on ServerFault where the same test as you mention is listed (2nd line of top answer) and it states: "it should NOT echo back the word vulnerable."

Note too that that test only checks for one of the (3) vulnerabilities that are included under the moniker "shellshock".

I don't mean to shut you down. Please feel free to demonstrate that I am wrong! :)

JS's picture

I too have the 'patched' version of Bash but the vulnerability test mentioned still works.

# dpkg -s bash | grep Version
Version: 4.2+dfsg-0.1+deb7u3

# uname -a
Linux <Snipped> 3.14-1-amd64 #1 SMP De;bian 3.14.2-1 (2014-04-28) x86_64 GNU/Linux

# cat /etc/turnkey_version
turnkey-otrs-13.0-wheezy-amd64

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

Jeremy Davis's picture

Please read my post above.

Unless the response you get includes the word "vulnerable" (which yours doesn't) then you are NOT vulnerable to that part of the shellshock bug (but there are 2 other parts to it...!)

Casey's picture

Hi all, 

 

TK 12 doesn't seem to be able to find any upgrades to BASH. Anyone know how to patch it for 12? (other than "upgrade to 13!" unless someone knows an easy path to upgrade. I appreciate the input!

 

best,

Casey

Jeremy Davis's picture

jlad provides some useful links in a post above. The first link (to a TurnKey blog post) gives you a couple of upgrade (to v13.x) possibilities too if you want...

Casey's picture

I really should have seen that. All patched up now!

Joe Marcellais's picture

Is there a procedure to update BASH on TKL-lamp-11.3 ?

 

Thanks,

-Joe

Jeremy Davis's picture

As you may or may not be aware, v11.x was based on Ubuntu (rather than Debian - since v12.0) and Ubuntu do things a little differently to Debian.

From what I can gather from a quick bit of research is that Ubuntu 10.04 (which v11.x was based on) is still supported with security patches (at least the 'main' server repo anyway...) and as TurnKey has had auto-security updates I would assume that it would have been auto patched.

However, I can't find info about what version you need to have to be assured that the bug is patched. So sorry I can't help there. The following should make sure that you have the latest Ubuntu Lucid version of bash:

apt-get update && apt-get install --reinstall bash

Regardless it may be worth planning your migration to a newer version of TurnKey as Ubuntu 10.04 support will finish April next year. So there is no rush yet, but probably good to start planning - especially if you have php code that may need updating for a newer version of php.

Add new comment