BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>

[rolf]

Thanks, mathroval

[OscarTalks]

The 4.3 version is probably fine in Dpup Wheezy but in case anyone wants to stick with the 4.2 I have uploaded
bash-4.2.53-wheezy.pet (binary only).
Also bash-4.2.53-slacko14.0. pet (binary only, compiled in Slacko 5.7)
http://smokey01.com/OscarTalks

[James C]

Partial Shellshock fix for Lighthouse64.....

Newest Slackware bash for Slackware 14.0 x86-64 from
http://www.slackware.com/security/viewe ... ity.559646

Updated package for Slackware x86_64 14.0:

ftp://ftp.slackware.com/pub/slackware/s ... ck14.0.txz

Code: Select all

bash-4.2# bash --version
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
<root> ~
bash-4.2#

Code: Select all

bash-4.2# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2533  100  2533    0     0   5692      0 --:--:-- --:--:-- --:--:--  6665
CVE-2014-6271 (original shellshock): not vulnerable
bash: line 16: 31327 Segmentation fault      bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
<root> ~	

I assume there will be further updates.

[8Geee]

patch 4.3.30-1 passes all tests "not vunerable" using slacko 5.7 derivitive with 3.4.82 (non-pae) kernal. I don't use frisbee for wifi cnxn... can't report on that.

edit:
Also patched as above on slacko 5.5XL kernal 3.2.33-4g.

[prehistoric]

There seems to be confusion concerning version and build numbers. Here's what I'm running successful tests with on Fatdog 630-631 and Fatdog 700 b1, all 64-bit versions.

Code: Select all

# bash --version
GNU bash, version 4.2.52(2)-release (x86_64-unknown-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
#

Here is the corresponding test result.

Code: Select all

#  curl --insecure https://shellshocker.net/shellshock_test.sh | bash 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2533  100  2533    0     0   6406      0 --:--:-- --:--:-- --:--:--  7538
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
# 

Added: this update is not from a .pet file. Fatdog 700 has switched to gslapt/slaptget package manager. Because the other files have not changed at all I was able to upgrade my older installation by simply copying /bin/bash from 700 b1 to /bin of 630-631. This was listed as release 5 of the x86_64 bit version of bash 4.2 in gslapt/slaptget. or bash-4.2-x86_64-5.txz .

With the exception of the version number these instructions from JamesBond should still apply.

Code: Select all

1. Get bash-4.2-x86_64-3.txz from 700 repo.
2. mkdir /tmp/xxx
3. cd /tmp/xxx
4. tar -xf /path/to/downloaded/bash-4.2-x86_64-3.txz
5. try to run ./bin/bash --version (version should be 4.2.49)
6. if this is good then cp ./bin/bash /bin

This should do until we stop getting new changes and copying things from a beta release.

[perdido]

Bash-3.0.22.
Passes all tests.

Keep in mind that although older versions may not be vulnerable to given exploits, newer versions have better solutions for the given problems (till the next version of course... )

Puppy 4.1.2 friendly version that does not break frisbee.

Thanks!

.

[ozsouth]

Oscar Talks' slacko pet passes all 7 tests in slacko 5.7 & 5.7.0

http://smokey01.com/OscarTalks/bash-4.2 ... ko14.0.pet

[James C]

Latest Bash from Slackware in Slacko64-5.9.1.

Code: Select all

# bash --version
GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Code: Select all

# curl --insecure https://shellshocker.net/shellshock_test.sh | bash 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   4343      0 --:--:-- --:--:-- --:--:--  5350
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
bash: line 50: 12499 Segmentation fault      bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

[prehistoric]

@James C,

See the explanation I added to my post concerning Fatdog 700 b1 and back porting to patch 630-631. We are now using slaptget packages so this may work for your system also.

[gcmartin]

Hello @Prehistoric and @James C. You may have noticed the difference in BASH version each is testing to yield your results.

@Prehistoric, if possible and time permits, could you boot a Lighthouse64 ISO?

[prehistoric]

@gcmartin,

When I got a fast download of Lighthouse Pup 6.02 b2, I ran a quick experiment of dropping in the binary from /bin/bash in Fatdog 700 b1. The version named in the prompt needs to be updated, and likely a few other files. This appears to work, but obviously it is not carefully tested to see if it breaks anything else. I'll leave that to people familiar with Lighthouse Puppy.

Code: Select all

bash-4.1# bash --version
GNU bash, version 4.2.52(2)-release (x86_64-unknown-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
<root> ~
bash-4.1# curl --insecure https://shellshocker.net/shellshock_test.sh | bash 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   6191      0 --:--:-- --:--:-- --:--:--  6931
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
<root> ~
bash-4.1#

[James C]

Slacko 5.7 from the Updates Manager.

Code: Select all

# curl --insecure https://shellshocker.net/shellshock_test.sh | bash 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   6177      0 --:--:-- --:--:-- --:--:--  7297
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Code: Select all

# bash --version
GNU bash, version 4.2.50(2)-release (i486-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
# 

[Bird Dog]

I would just like to thank all those who helped resolve this bash threat especially dejan 555, mavrothal, Geoffrey and james C.Its nice there a knowledgeable people who will help in times of need.
I am running precise 5.6.1 and I used dejans bash 4.3.30 dpup 487 and everything is not vulnerable. Unfortunately I haven't figured out how to paste from the terminal.
If precise 5.7.1 was to be recommended to a new member would this bash update and the heartbleed update proviided by shinobar be all that was necessary for a secure operating system?

Thanks Bird Dog

[prehistoric]

@Bird Dog,

You probably want to update your browser, and use an extension which disables SSLv3 to avoid the POODLE vulnerability. SSLv3 is going away from all major browsers soon in any case. If the server demands SSL, and not TLS, it probably has other vulnerabilities stemming from old software. There are banks in this category.

This is not exactly a vulnerability in Puppy, but it is a weakness in secure communication which could compromise sensitive data. A man-in-the-middle could interfere with TLS connections, and cause fallback to SSL, if your browser allows this.

[watchdog]

@Bird Dog,

You probably want to update your browser, and use an extension which disables SSLv3 to avoid the POODLE vulnerability.

In firefox I use:

https://addons.mozilla.org/it/firefox/a ... l/?src=api

[rolf]

@Bird Dog,

You probably want to update your browser, and use an extension which disables SSLv3 to avoid the POODLE vulnerability.

In firefox I use:

https://addons.mozilla.org/it/firefox/a ... l/?src=api

Thanks. I had to find an EN page:

As of version 0.2, this add-on should work with all Mozilla products, including Firefox, Firefox for Android, Thunderbird, and Seamonkey.

When I installed, I think I had to "Download anyway" but it seems to be working OK in

User agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0 SeaMonkey/2.18
Build identifier: 20130502195722

From the little I've read, this looks like a relatively recently documented security flaw that I had not heard anything about. Thanks for that, too.

[8Geee]

I also use V.C.SSL 0.2. One thing about it that annoys me is that it auto-logins using TLS 1.0. After starting FF, one has to manually select either 1.1 or 1.2 versions. On browser-close, the setting reverts to TLS 1.0.

And of course for the security minded folks about config should be editted basically to allow anything with 256 in the name (especially sha256) and false those without 256 in the name.

Supposedly FF34 will remove ssl3 validations of all types, and eliminate rc4 logins.

[bark_bark_bark]

In Seamonkey, All I had to do was uncheck the SSl 3 checkbox.

[rolf]

I tried setting SSL Version Control 0.2 to TLS 1.2 in the dropdown. I haven't had any problems with websites, yet, don't know if it is doing anything, and there is no longer a dropdown menu to select the version in this extension's preferences.

[perdido]

I tried setting SSL Version Control 0.2 to TLS 1.2 in the dropdown. I haven't had any problems with websites, yet, don't know if it is doing anything, and there is no longer a dropdown menu to select the version in this extension's preferences.

This site tells you which SSL/TLS you are using.

https://www.howsmyssl.com/

edit: forgot to mention I am using Firefox 16 Nightly and I had turned off SSL 3.0 before I went to this site. The site warned about a vulnerable cipher key, Firefox had not turned off the following vulnerable SSL 3.0 cipher key, security.ssl3.rsa_fips_des_ede3_sha, which was still marked as "true" in about:config , after changing to "false" the only warning received from the connection was the browser is using TLS 1.0


.