LinuxMCE Forums
General => Users => Topic started by: purps on October 01, 2014, 10:08:51 am
-
Not wanting to start a panic or anything, but thought I should ask the question seeing as we are all using Linux and not only that, using it as a gateway/router.
I had an email come round at work warning us of this potential weakness. It was recommended we run the following command...
env X="() { :;} ; echo vulnerable" /bin/sh -c "echo this is a test
...to see if we are vulnerable. If I am to believe this test, then apparently I am.
What can we do, if anything?
Cheers,
Matt.
-
apt-get update && apt-get upgrade
should sort you out - updated bash packages have been released already.
-Coley.
-
Yeah I was afraid somebody might say that :-)
Is there any way to upgrade only the packages affected by this issue?
Cheers,
Matt.
-
sudo apt-get install bash
-Coley.
-
I'm getting the following error:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
bash-doc
Recommended packages:
bash-completion
The following packages will be upgraded:
bash
1 upgraded, 0 newly installed, 0 to remove and 172 not upgraded.
Need to get 0B/647kB of archives.
After this operation, 57.3kB disk space will be freed.
WARNING: The following packages cannot be authenticated!
bash
Authentication warning overridden.
(Reading database ... 132533 files and directories currently installed.)
Preparing to replace bash 4.1-2ubuntu3 (using .../bash_4.1-2ubuntu3.4_i386.deb) ...
Unpacking replacement bash ...
dpkg: error processing /var/cache/apt/archives/bash_4.1-2ubuntu3.4_i386.deb (--unpack):
trying to overwrite '/bin/sh', which is also in package dash 0:0.5.5.1-3ubuntu2
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode.
Processing triggers for man-db ...
Errors were encountered while processing:
/var/cache/apt/archives/bash_4.1-2ubuntu3.4_i386.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
I have tried "sudo apt-get install --true-upgrade bash" and "sudo apt-get install --reinstall bash" also.
Cheers,
Matt.
EDIT: Could I chroot from a live CD or something? If yes, to what directory? Or have I misunderstood how one uses chroot?
-
check out this thread
http://forum.linuxmce.org/index.php?topic=13769.0
-Coley.
-
Saw that but didn't twig that it was the issue I was having, thanks.
I followed the steps to make dash the default shell. I guess that solves the problem in itself.
I tried to then upgrade bash, but it said it was at the newest version - as far as I am aware it never got upgraded. So in any event I hope I'm safe.
Cheers,
Matt.
-
Keep in mind that the majority of LMCE scripts are bash based and are not compatible with dash. You will want to ensure that bash is updated and functional.
J.
-
You really want to patch your bash. There are 6 CVE alerts against this, all with a CVSS score of 10 (meaning really bad). I've been dealing with this at work, on almost every flavor of *nix out there.
Run sudo apt-get update && cat /etc/lsb-release && sudo apt-cache policy bash
If Candidate is not the same as Installed, you're not patched to the latest available.
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS"
bash:
Installed: 4.2-2ubuntu2.5
Candidate: 4.2-2ubuntu2.5
Version table:
*** 4.2-2ubuntu2.5 0
Your version number should be equal or greater than the ones listed at this link:
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7187.html
Ubuntu 10.04 LTS (Lucid Lynx): released (4.1-2ubuntu3.4)
Ubuntu 12.04 LTS (Precise Pangolin): released (4.2-2ubuntu2.5)
Ubuntu 14.04 LTS (Trusty Tahr): released (4.3-7ubuntu1.4)
Ubuntu 14.10 (Utopic Unicorn): released (4.3-9ubuntu4)
The gory details are all here:
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6271.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6277.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6278.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7169.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7186.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7187.html
Hope that helps!
/Mike
-
Thanks for the expert help guys. My 10.04 installation is showing "Installed: 4.1-2ubuntu3.4" which matches the candidate, so looks like I'm good.
Cheers,
Matt.
-
Thank you Mike, that worked brilliantly! All my machines updated