Fix for the GNU Bash "shellshock" vulnerability

14 replies [Last post]
megurineturilli
Offline
Joined: 01/10/2012

When will updates be avialable for the following bug, that I can install on Trisquel?

http://www.fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability

ivaylo
Offline
Joined: 07/26/2010

В 10:23 +0200 на 26.09.2014 (пт), name at domain написа:
> When will updates be avialable for the following bug, that I can install on
> Trisquel?

There is a bug report in Trisquel. [1] Version 6.0 is already patched,
although someone on the IRC channel said this is a partial patch and
more are expected.

[1]
http://trisquel.info/en/issues/12447

pogiako12345
Offline
Joined: 07/11/2014

I just did a system upgrade and found no updates yet. I'm running the latest Toutatis.

ivaylo
Offline
Joined: 07/26/2010

В 11:26 +0200 на 26.09.2014 (пт), name at domain написа:
> I just did a system upgrade and found no updates yet. I'm running the latest
> Toutatis.

I'm on Toutatis with the patch installed. The current Bash version is
4.2-2ubuntu2.2+6.0.1trisquel1. [1]

If you have unattended upgrades, check your /var/log/dpkg.log [2] for
possible updates. Also, check your system as explained in the bug
report.

[1]
$ apt-cache policy bash
bash:
Installed: 4.2-2ubuntu2.2+6.0.1trisquel1
Candidate: 4.2-2ubuntu2.2+6.0.1trisquel1

[2]
2014-09-25 20:25:02 upgrade bash 4.2-2ubuntu2.1+6.0trisquel1
4.2-2ubuntu2.2+6.0.1trisquel1

megurineturilli
Offline
Joined: 01/10/2012

I used apt-get upgrade bash to upgrade bash

then I got the following warning

WARNING: The following packages cannot be authenticated!
gcc-4.6-doc

Mzee
Offline
Joined: 07/10/2013

On Trisquel 6 I got the following update today:

The following packages will be upgraded:
bash
1 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,529 kB of archives. After unpacking 1,024 B will be used.
Do you want to continue? [Y/n/?] y
Get: 1 http://fr.archive.trisquel.info/trisquel/ toutatis-updates/main bash amd64 4.2-2ubuntu2.2+6.0.1trisquel1 [1,529 kB]
Fetched 1,529 kB in 0s (5,144 kB/s)
(Reading database ... 281993 files and directories currently installed.)
Preparing to replace bash 4.2-2ubuntu2.1+6.0trisquel1 (using .../bash_4.2-2ubuntu2.2+6.0.1trisquel1_amd64.deb) ...
Unpacking replacement bash ...
Processing triggers for man-db ...
Setting up bash (4.2-2ubuntu2.2+6.0.1trisquel1) ...
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode.

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

There's two more relevant USNs (Ubuntu Security Notices) on bash after that patch level - expect further updates.

Abhishek
Offline
Joined: 07/22/2014

Please check with this command :

env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

If this returns "vulnerable" then its not patched yet.

If you get the below then shellshock bug is patched.

##
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
##

I have just upgraded the system for 6.0.1 and the shellshock bug seems to have been patched.

I checked after the upgrade and I got the patched output.

Please check and report if shellshock still persists or not.

pogiako12345
Offline
Joined: 07/11/2014

Successfully got the BASH update! :D

salparadise
Offline
Joined: 09/08/2013

Not patched on Trisquel 7 yet.

salparadise
Offline
Joined: 09/08/2013

Am I right in thinking that if I change the default shell on T7 (from bash to dash), that this will provide some security whilst awaiting a patch?

jxself
Offline
Joined: 09/13/2010

"Not patched on Trisquel 7 yet."

Everyone, please remember these two points:

1. Trisquel 7 is still in development and is not officially supported at this time.

2. If you find stuff missing/incomplete/outdated/whatever else see point 1.

If you wish a stable and secure system please stick with version 6 until 7 is released and official support begins. Otherwise please remember that you are using an unsupported Trisquel version and are on your own.

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

To which I'll add: Debian Wheezy armhf hasn't patched yet either, so
Ruben's not alone. And there was another bash USN overnight, so as
bash is Trisquelized we can assume Ruben would work on that for
Toutatis first as it's the stable release.

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

> To which I'll add: Debian Wheezy armhf hasn't patched yet either, so

I'd better clarify that as 'hasn't patched to the latest level.'

salparadise
Offline
Joined: 09/08/2013

"Not patched on Trisquel 7 yet."

Was an observation, not a criticism.