I have tested 12.3 13.1 13.2 beta and factory all of them are vulnerable :(.
The patch is out upstream, already fix by chet but it still did not reach openSUSE/SUSE repos.
The thing is, if the patch went through the update then it may or may not break some system packages including bash it self at least according to that thread.
The patch is out upstream, already fix by chet but it still did not reach openSUSE/SUSE repos.
The thing is, if the patch went through the update then it may or may not break some system packages including bash it self at least according to that thread.
11.2 is way out of date. Thus no longer supported. And thereby open to worse things then the bash problem. As far as vulnerabilities are concerned this is not a big one though should be addressed. Note that openSUSE has a rather short support cycle for a “production” system. You should use either Suse or Evergreen. But the current Evergreen ends with 13.1 (ie starts new cycle) and was based on 11.4. So only way I can see to fix your bash is to find the patch and compile from source or update your OS.
I agree with you on the way too old, unfortunately you know how it goes. Sometimes we end up in difficult situations due to decisions taken a long time ago
with all my centos system patched I am hoping a proper update appears there among the 3 that were recently
I have never had to patch a binary manually so that is also on the experimentation stage (right now I am getting hunk FAILED doing it in a test machine)
Well you can’t patch an arbitrary binary with a patch/ patches are made in the most part by diffing the file and creating the change file from the dif. thus you must have the same starting point for a patch to work. In your case you need to find the changes made to fix the problem and apply them to the code for your current version that you also must dig out then compile the result. This requires real programing at the language level and can not be done by an automated patch unless someone makes one for you.
I’m sure the idea to keep a production system on a fast moving (free) OS seemed smart at the time until something like this comes along…:X
On the other hand it depends on what kind of a “production” system this is. If it is file servers sitting behind a nice firewall it probably is not a huge problem if it is a web/other internet servers then maybe you should seriously think of updating since you have missed many many patches that go to security already
You can download,patch and compile if you like :).
Create a directory for compiling your stuff and go inside it.
mkdir /tmp/temp
cd $_
Depending on your bash version you need to adjust this, this is bash 4.2
Download your bash version
wget http://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz
Download the correct patch version, again you need to adjust this since 4.3 only has 25 patches.
for ((i=1; i<49; i++)); do printf -v tmp %03d $i; wget http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-$tmp; done
Unpack the tarball
tar zxvf bash-4.2.tar.gz
Go inside that directory
cd bash-42 || exit
Now run the patch.
for ((i=1; i<49; i++)); do printf -v tmp %03d $i; patch -p0 < ../bash42-$tmp; done
Now it’s time to make install!
You can even give it a path so it will end up in the --prefix directory
./configure --prefix=/home/jetchisel/Scripts; make install
Note that would create a bin directory in /home/jetchisel/Scripts. Replace that path with your own hearts content :).
You can write scripts and put the absolute path e.g.
#!/home/jetchisel/Scripts/bin/bash
and test if the bug still exists or call it interactively. You can ln that binary to your /bin/bash e.g. the output of
type -a bash
To much manual work, i know but if you have to do it because lack of official package/support then your on your own.
On the other hand, "Breaking news, patch seems incomplete :|.
When you use the Link icon in the post editor (the small globe) you get a link in your post. Much easier to click on for others then when you post an URL between CODE tags ;).
–
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-21-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
Just as soon as I can use it. Apparently, we need to know which repo has the updated bash. For my 13.1 installation, the latest offered is 4.2-68.8.1 and after update and reboot, /bin/bash actually reports
This is what I get
gogalthorp@linux6:~> echo $BASH_VERSION
4.2.47(1)-release
gogalthorp@linux6:~> env x=’() { :;}; echo vulnerable’ bash -c ‘echo hello’
hello
No, that’s not “weird”.
That’s how openSUSE’s update policy works.
You normally don’t get newer versions of software, only the patches to fix problems are added on top of the existing/shipped package.
To see if the wanted fix is in, have a look at the package changelog, either in YaST or with:
