UK Vintage Radio Repair and Restoration Powered By Google Custom Search Vintage Radio and TV Service Data

Go Back   UK Vintage Radio Repair and Restoration Discussion Forum > Other Discussions > Forum Announcements and Comments

Notices

Forum Announcements and Comments Announcements about forum changes will be made in this section. All new threads here now require moderator approval.

Closed Thread
 
Thread Tools
Old 26th Sep 2014, 6:59 pm   #21
julie_m
Dekatron
 
Join Date: May 2008
Location: Derby, UK.
Posts: 7,735
Default Re: "Shellshock" security issue patched

It depends whether you ever intend to run them on another machine. The shell programming I do is mostly tied to the box it runs on anyway; and all our servers run one of the same two distros. So I feel quite justified in using Bash extensions in this situation.

I've seen shell scripts meant to run anywhere, that have pulled convoluted stunts to get echo to behave "right" -- the one built into Bash assumes -E and accepts -n for no newline, whereas the one in dash assumes -e and needs \c to make it not echo a newline. I guess that's the beauty of having standards, there are so many to choose from!
__________________
If I have seen further than others, it is because I was standing on a pile of failed experiments.
julie_m is offline  
Old 26th Sep 2014, 7:55 pm   #22
paulsherwin
Moderator
 
paulsherwin's Avatar
 
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
Default Re: "Shellshock" security issue patched

Quote:
Originally Posted by SiriusHardware View Post
In both cases (in a terminal or at the command line prompt)

Code:
sudo apt-get update
sudo apt-get install bash
...fetched and over-installed any available later version of bash.
But, for anyone unaware of the niceties of Linux distros, this advice will only work with Debian based distributions (such as Ubuntu and Mint, and also Raspbian or whatever it's called).

Most modern distros have their own ways of installing updates, and it's just a question of invoking that if it's not done automatically. A few distros in common use don't routinely update (Puppy is the obvious example) but these shouldn't be used on internet facing servers anyway.

Anybody worried about the vulnerability of their domestic router should run a port scanning utility like Shields Up!. All ports should be shown as closed or undetectable. If any are reported as open, then you should investigate why. A few older routers have firmware bugs which don't allow all ports to be closed, but any ports that can't be closed can just be fowarded to a nonsense IP address on the LAN.
paulsherwin is online now  
Old 26th Sep 2014, 10:12 pm   #23
Paul Stenning
Administrator
 
Paul Stenning's Avatar
 
Join Date: Dec 2002
Location: Cardiff
Posts: 9,060
Default Re: "Shellshock" security issue patched

On CentOS it's
Code:
yum update bash
assuming you are logged in as root.
__________________

Paul Stenning
Forum Admin/Owner and BVWS Webmaster
Paul Stenning is offline  
Old 27th Sep 2014, 12:27 am   #24
Refugee
Dekatron
 
Refugee's Avatar
 
Join Date: Apr 2012
Location: Worksop, Nottinghamshire, UK.
Posts: 5,549
Default Re: "Shellshock" security issue patched

I have had two updates in as many days.
I have installed both of them.
Refugee is online now  
Old 27th Sep 2014, 2:28 am   #25
G8KBG Tony
Pentode
 
Join Date: Sep 2006
Location: Wombourne, South Staffordshire, UK.
Posts: 223
Default Re: "Shellshock" security issue patched

Quote:
Originally Posted by Refugee View Post
I have had two updates in as many days.
I have installed both of them.
On what?
__________________
G8KBG - BVWS Member - BATC Member
G8KBG Tony is online now  
Old 27th Sep 2014, 9:23 am   #26
Paul Stenning
Administrator
 
Paul Stenning's Avatar
 
Join Date: Dec 2002
Location: Cardiff
Posts: 9,060
Default Re: "Shellshock" security issue patched

Quote:
Originally Posted by G8KBG Tony View Post
Quote:
Originally Posted by Refugee View Post
I have had two updates in as many days.
I have installed both of them.
On what?
Based on the subject of the ENTIRE THREAD it'll be Bash updates on Linux systems.
__________________

Paul Stenning
Forum Admin/Owner and BVWS Webmaster
Paul Stenning is offline  
Old 27th Sep 2014, 11:58 am   #27
Refugee
Dekatron
 
Refugee's Avatar
 
Join Date: Apr 2012
Location: Worksop, Nottinghamshire, UK.
Posts: 5,549
Default Re: "Shellshock" security issue patched

Quote:
Originally Posted by G8KBG Tony View Post
On what?
On two desktop PCs installed with single boot PCLinuxOS.
A third bash update has come in this morning and I have installed it too.
Refugee is online now  
Old 29th Sep 2014, 8:39 pm   #28
SiriusHardware
Dekatron
 
Join Date: Aug 2011
Location: Newcastle, Tyne and Wear, UK.
Posts: 11,483
Default Re: "Shellshock" security issue patched

Quote:
Originally Posted by paulsherwin View Post
But, for anyone unaware of the niceties of Linux distros, this advice will only work with Debian based distributions (such as Ubuntu and Mint, and also Raspbian or whatever it's called).
Thanks for pointing out that this method is Debian-centric - as it happens, my limited experience with Linux has all been on Debian derived versions of Linux.

The bash updates were not made available in any kind of hurry on Zorin's updater, which nonetheless flagged up a few other updates at the time. That was why I decided to invoke the updates manually as described.

For Raspian (The Raspberry-Pi tuned version of Debian 7) the updates were available in the repos very quickly, but updates on the Pi are always manually invoked.
SiriusHardware is online now  
Old 29th Sep 2014, 11:23 pm   #29
Nuvistor
Dekatron
 
Nuvistor's Avatar
 
Join Date: Aug 2013
Location: Wigan, Greater Manchester, UK.
Posts: 9,427
Default Re: "Shellshock" security issue patched

Apple have released an update for Bash for OS X Lion, Mountain Lion and Mavericks. A simple .dmg download a few seconds to install.
It is at the moment a separate install not done with the "App store".
Available at the Apple downloads web site.
Frank
Nuvistor is online now  
Old 30th Sep 2014, 10:36 am   #30
paulsherwin
Moderator
 
paulsherwin's Avatar
 
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
Default Re: "Shellshock" security issue patched

There continue to be media reports of massive botnets being built by exploiting this bug, but I've yet to be convinced that there have been any successful attacks in the wild. The reports normally offer no technical detail at all, and mostly seem to describe attackers performing investigatory port scans, which are nothing to do with the bash exploit and happen all the time.
paulsherwin is online now  
Old 30th Sep 2014, 10:45 am   #31
Refugee
Dekatron
 
Refugee's Avatar
 
Join Date: Apr 2012
Location: Worksop, Nottinghamshire, UK.
Posts: 5,549
Default Re: "Shellshock" security issue patched

I have just had to delete/clear out the off line web data in Firefox.
The problem was an Asian website kept appearing in an irritating way.
It may not be related to the bash issue but it did appear while it has been on going.
Things did speed up when I did a full factory reset of the router too.
Refugee is online now  
Old 30th Sep 2014, 12:47 pm   #32
Nuvistor
Dekatron
 
Nuvistor's Avatar
 
Join Date: Aug 2013
Location: Wigan, Greater Manchester, UK.
Posts: 9,427
Default Re: "Shellshock" security issue patched

hi Paul,
this site I find good for balanced technical info on security. I admit it some times is above my knowledge, ok well above, but it seems very balanced with good advice.
https://isc.sans.edu/diary.html#__ut...utmk=244058694
Frank
Nuvistor is online now  
Old 30th Sep 2014, 1:02 pm   #33
paulsherwin
Moderator
 
paulsherwin's Avatar
 
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
Default Re: "Shellshock" security issue patched

Quote:
Originally Posted by Refugee View Post
I have just had to delete/clear out the off line web data in Firefox.
The problem was an Asian website kept appearing in an irritating way.
It may not be related to the bash issue but it did appear while it has been on going.
Things did speed up when I did a full factory reset of the router too.
This won't be anything to do with the bash vulnerability.

Frank's link does contain good information. The main exploit seems to use the CGI interface to the Apache web server, which passes the contents of a few user set environment variables to the shell script. Malicious code won't be executed with root privileges so there is limited potential for catastrophic system subversion, but it is relatively easy to upload and run malicious Perl scripts to carry out DDS attacks. Updating bash fixes the vulnerability.

If you're not running Apache or DHCPD on an internet facing server, you shouldn't have anything to worry about.
paulsherwin is online now  
Old 30th Sep 2014, 1:06 pm   #34
HamishBoxer
Dekatron
 
HamishBoxer's Avatar
 
Join Date: Aug 2007
Location: W.Butterwick, near Doncaster UK.
Posts: 8,923
Default Re: "Shellshock" security issue patched

As i use Firefox ,i set it not to keep any data for security.
__________________
G8JET BVWS Archivist and Member V.M.A.R.S
HamishBoxer is offline  
Old 30th Sep 2014, 1:49 pm   #35
Refugee
Dekatron
 
Refugee's Avatar
 
Join Date: Apr 2012
Location: Worksop, Nottinghamshire, UK.
Posts: 5,549
Default Re: "Shellshock" security issue patched

Bash had to be updated five times before the update notifier calmed down.
I have just done an update check and it says everything is up to date.

The annoying website problem would appear to be coming from a website that I use that happens to be infected with something else that is as you say not related or if it in not directly so.

It will have to wait until the owner of the affected website does an update before the problem clears.
It was appearing randomly so it is difficult for me to contact the site owner.
Refugee is online now  
Old 30th Sep 2014, 3:06 pm   #36
paulsherwin
Moderator
 
paulsherwin's Avatar
 
Join Date: Jun 2003
Location: Oxford, UK
Posts: 27,787
Default Re: "Shellshock" security issue patched

Quote:
Originally Posted by Refugee View Post
Bash had to be updated five times before the update notifier calmed down.
This is what you'd expect with a vulnerability on this scale. The distro maintainers will provide an immediate quick and dirty fix which removes the obvious vulnerability. The code will then be crawled over by lots of people. More vulnerabilities will be found, and the code will be tidied up. Eventually a definitive fix will be applied by the package maintainer and all distributions will return to the same version.
paulsherwin is online now  
Closed Thread

Thread Tools



All times are GMT +1. The time now is 8:55 pm.


All information and advice on this forum is subject to the WARNING AND DISCLAIMER located at https://www.vintage-radio.net/rules.html.
Failure to heed this warning may result in death or serious injury to yourself and/or others.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Copyright ©2002 - 2023, Paul Stenning.