Page 1 of 4 123 ... LastLast
Results 1 to 10 of 40

Thread: Vulnerability in bash

  1. #1

    Default Vulnerability in bash

    I hope SUSE/openSUSE bash packager/maintaners are following this.

    Code:
    https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
    I have tested 12.3 13.1 13.2 beta and factory all of them are vulnerable .
    The patch is out upstream, already fix by chet but it still did not reach openSUSE/SUSE repos.
    The thing is, if the patch went through the update then it may or may not break some system packages including bash it self at least according to that thread.
    "Unfortunately time is always against us" -- [Morpheus]

    .:https://github.com/Jetchisel:.

  2. #2

    Default Re: Vulnerability in bash

    According to that 3.0 might also affected.
    Code:
    http://lists.gnu.org/archive/html/bug-bash/2014-09/index.html

    Code:
    Bug-Description:
    
    Under certain circumstances, bash will execute user code while processing the
    environment for exported function definitions.
    "Unfortunately time is always against us" -- [Morpheus]

    .:https://github.com/Jetchisel:.

  3. #3

    Default Re: Vulnerability in bash

    Quote Originally Posted by jetchisel View Post
    I hope SUSE/openSUSE bash packager/maintaners are following this.

    Code:
    https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
    If that's the same as this, then yes, they know about it since over a week already:
    https://bugzilla.novell.com/show_bug.cgi?id=896776


    The patch is out upstream, already fix by chet but it still did not reach openSUSE/SUSE repos.
    The thing is, if the patch went through the update then it may or may not break some system packages including bash it self at least according to that thread.
    Well, it actually _is_ in the Base:System repo already:
    https://build.opensuse.org/package/r...v=base&rev=171
    Therefore it should be also in Factory in a few days.

    An update for 12.3 and 13.1 has been submitted as well already, as you can see in the bugreport.
    Last edited by wolfi323; 24-Sep-2014 at 09:01.

  4. #4

    Default Re: Vulnerability in bash

    Quote Originally Posted by wolfi323 View Post

    An update for 12.3 and 13.1 has been submitted as well already, as you can see in the bugreport.
    Nice to know, thanks.
    "Unfortunately time is always against us" -- [Morpheus]

    .:https://github.com/Jetchisel:.

  5. #5

    Default Re: Vulnerability in bash

    I have two production systems in opensuse 11.2 , how can I find the package or apply it manually even ?

  6. #6
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,746

    Default Re: Vulnerability in bash

    11.2 is way out of date. Thus no longer supported. And thereby open to worse things then the bash problem. As far as vulnerabilities are concerned this is not a big one though should be addressed. Note that openSUSE has a rather short support cycle for a "production" system. You should use either Suse or Evergreen. But the current Evergreen ends with 13.1 (ie starts new cycle) and was based on 11.4. So only way I can see to fix your bash is to find the patch and compile from source or update your OS.

  7. #7

    Default Re: Vulnerability in bash

    I agree with you on the way too old, unfortunately you know how it goes. Sometimes we end up in difficult situations due to decisions taken a long time ago

    I found this http://download.opensuse.org/reposit.../Maintenance:/

    with all my centos system patched I am hoping a proper update appears there among the 3 that were recently :-|

    I have never had to patch a binary manually so that is also on the experimentation stage :-| (right now I am getting hunk FAILED doing it in a test machine)

  8. #8
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,746

    Default Re: Vulnerability in bash

    Well you can't patch an arbitrary binary with a patch/ patches are made in the most part by diffing the file and creating the change file from the dif. thus you must have the same starting point for a patch to work. In your case you need to find the changes made to fix the problem and apply them to the code for your current version that you also must dig out then compile the result. This requires real programing at the language level and can not be done by an automated patch unless someone makes one for you.

    I'm sure the idea to keep a production system on a fast moving (free) OS seemed smart at the time until something like this comes along.......

    On the other hand it depends on what kind of a "production" system this is. If it is file servers sitting behind a nice firewall it probably is not a huge problem if it is a web/other internet servers then maybe you should seriously think of updating since you have missed many many patches that go to security already

  9. #9

    Default Re: Vulnerability in bash

    Thanks for your feedback gogalthorp . Will keep looking and see what can be done on the fly (well sort of)


  10. #10

    Default Re: Vulnerability in bash

    I received the patch to my 13.1 system a few hours ago, fwiw.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •