|
Forum Announcements and Comments Announcements about forum changes will be made in this section. All new threads here now require moderator approval. |
|
Thread Tools |
26th Sep 2014, 6:59 pm | #21 |
Dekatron
Join Date: May 2008
Location: Derby, UK.
Posts: 7,735
|
Re: "Shellshock" security issue patched
It depends whether you ever intend to run them on another machine. The shell programming I do is mostly tied to the box it runs on anyway; and all our servers run one of the same two distros. So I feel quite justified in using Bash extensions in this situation.
I've seen shell scripts meant to run anywhere, that have pulled convoluted stunts to get echo to behave "right" -- the one built into Bash assumes -E and accepts -n for no newline, whereas the one in dash assumes -e and needs \c to make it not echo a newline. I guess that's the beauty of having standards, there are so many to choose from!
__________________
If I have seen further than others, it is because I was standing on a pile of failed experiments. |
26th Sep 2014, 7:55 pm | #22 | |
Moderator
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
|
Re: "Shellshock" security issue patched
Quote:
Most modern distros have their own ways of installing updates, and it's just a question of invoking that if it's not done automatically. A few distros in common use don't routinely update (Puppy is the obvious example) but these shouldn't be used on internet facing servers anyway. Anybody worried about the vulnerability of their domestic router should run a port scanning utility like Shields Up!. All ports should be shown as closed or undetectable. If any are reported as open, then you should investigate why. A few older routers have firmware bugs which don't allow all ports to be closed, but any ports that can't be closed can just be fowarded to a nonsense IP address on the LAN. |
|
27th Sep 2014, 12:27 am | #24 |
Dekatron
Join Date: Apr 2012
Location: Worksop, Nottinghamshire, UK.
Posts: 5,549
|
Re: "Shellshock" security issue patched
I have had two updates in as many days.
I have installed both of them. |
27th Sep 2014, 2:28 am | #25 |
Pentode
Join Date: Sep 2006
Location: Wombourne, South Staffordshire, UK.
Posts: 223
|
Re: "Shellshock" security issue patched
On what?
__________________
G8KBG - BVWS Member - BATC Member |
27th Sep 2014, 9:23 am | #26 |
Administrator
Join Date: Dec 2002
Location: Cardiff
Posts: 9,060
|
Re: "Shellshock" security issue patched
Based on the subject of the ENTIRE THREAD it'll be Bash updates on Linux systems.
|
27th Sep 2014, 11:58 am | #27 |
Dekatron
Join Date: Apr 2012
Location: Worksop, Nottinghamshire, UK.
Posts: 5,549
|
Re: "Shellshock" security issue patched
|
29th Sep 2014, 8:39 pm | #28 | |
Dekatron
Join Date: Aug 2011
Location: Newcastle, Tyne and Wear, UK.
Posts: 11,484
|
Re: "Shellshock" security issue patched
Quote:
The bash updates were not made available in any kind of hurry on Zorin's updater, which nonetheless flagged up a few other updates at the time. That was why I decided to invoke the updates manually as described. For Raspian (The Raspberry-Pi tuned version of Debian 7) the updates were available in the repos very quickly, but updates on the Pi are always manually invoked. |
|
29th Sep 2014, 11:23 pm | #29 |
Dekatron
Join Date: Aug 2013
Location: Wigan, Greater Manchester, UK.
Posts: 9,427
|
Re: "Shellshock" security issue patched
Apple have released an update for Bash for OS X Lion, Mountain Lion and Mavericks. A simple .dmg download a few seconds to install.
It is at the moment a separate install not done with the "App store". Available at the Apple downloads web site. Frank |
30th Sep 2014, 10:36 am | #30 |
Moderator
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
|
Re: "Shellshock" security issue patched
There continue to be media reports of massive botnets being built by exploiting this bug, but I've yet to be convinced that there have been any successful attacks in the wild. The reports normally offer no technical detail at all, and mostly seem to describe attackers performing investigatory port scans, which are nothing to do with the bash exploit and happen all the time.
|
30th Sep 2014, 10:45 am | #31 |
Dekatron
Join Date: Apr 2012
Location: Worksop, Nottinghamshire, UK.
Posts: 5,549
|
Re: "Shellshock" security issue patched
I have just had to delete/clear out the off line web data in Firefox.
The problem was an Asian website kept appearing in an irritating way. It may not be related to the bash issue but it did appear while it has been on going. Things did speed up when I did a full factory reset of the router too. |
30th Sep 2014, 12:47 pm | #32 |
Dekatron
Join Date: Aug 2013
Location: Wigan, Greater Manchester, UK.
Posts: 9,427
|
Re: "Shellshock" security issue patched
hi Paul,
this site I find good for balanced technical info on security. I admit it some times is above my knowledge, ok well above, but it seems very balanced with good advice. https://isc.sans.edu/diary.html#__ut...utmk=244058694 Frank |
30th Sep 2014, 1:02 pm | #33 | |
Moderator
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
|
Re: "Shellshock" security issue patched
Quote:
Frank's link does contain good information. The main exploit seems to use the CGI interface to the Apache web server, which passes the contents of a few user set environment variables to the shell script. Malicious code won't be executed with root privileges so there is limited potential for catastrophic system subversion, but it is relatively easy to upload and run malicious Perl scripts to carry out DDS attacks. Updating bash fixes the vulnerability. If you're not running Apache or DHCPD on an internet facing server, you shouldn't have anything to worry about. |
|
30th Sep 2014, 1:06 pm | #34 |
Dekatron
Join Date: Aug 2007
Location: W.Butterwick, near Doncaster UK.
Posts: 8,923
|
Re: "Shellshock" security issue patched
As i use Firefox ,i set it not to keep any data for security.
__________________
G8JET BVWS Archivist and Member V.M.A.R.S |
30th Sep 2014, 1:49 pm | #35 |
Dekatron
Join Date: Apr 2012
Location: Worksop, Nottinghamshire, UK.
Posts: 5,549
|
Re: "Shellshock" security issue patched
Bash had to be updated five times before the update notifier calmed down.
I have just done an update check and it says everything is up to date. The annoying website problem would appear to be coming from a website that I use that happens to be infected with something else that is as you say not related or if it in not directly so. It will have to wait until the owner of the affected website does an update before the problem clears. It was appearing randomly so it is difficult for me to contact the site owner. |
30th Sep 2014, 3:06 pm | #36 |
Moderator
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
|
Re: "Shellshock" security issue patched
This is what you'd expect with a vulnerability on this scale. The distro maintainers will provide an immediate quick and dirty fix which removes the obvious vulnerability. The code will then be crawled over by lots of people. More vulnerabilities will be found, and the code will be tidied up. Eventually a definitive fix will be applied by the package maintainer and all distributions will return to the same version.
|