+- Linux Lite Forums (https://www.linuxliteos.com/forums)
+-- Forum: General (https://www.linuxliteos.com/forums/forumdisplay.php?fid=4)
+--- Forum: On Topic (https://www.linuxliteos.com/forums/forumdisplay.php?fid=14)
+--- Thread: Bash Vulnerability and Linux Lite (/showthread.php?tid=889)
Pages:
1
2
Bash Vulnerability and Linux Lite - Dookus - 09-25-2014
I just ran the commands on LL2
env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
env X="() { :;} ; echo busted" bash -c "echo stuff"
and the second command came back with "busted"
Meaning LL is vulnerable
I imagine the patch for this is reliant on Ubuntu developers?
Re: Bash Vulnerability and Linux Lite - Valtam - 09-25-2014
Both of mine just came back as 'stuff'. I assume you have updated?
Code:
jerry@comp:~$ env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
stuff
jerry@comp:~$ env X="() { :;} ; echo busted" bash -c "echo stuff"
bash: warning: X: ignoring function definition attempt
bash: error importing function definition for `X'
stuff
jerry@comp:~$Re: Bash Vulnerability and Linux Lite - Scott(0) - 09-25-2014
My system was already fixed via the normal LL update method:
Menu > All > Install Updates
You can also check the bash package version, type:
Code:
dpkg -s bash | grep VersionThe fixed versions are:
4.3-7ubuntu1.1,
4.2-2ubuntu2.2, and
4.1-2ubuntu3.1
My laptop, for example:
Code:
scott@laptop:~$ dpkg -s bash | grep Version
Version: 4.3-7ubuntu1.1So, I'm fixed!
If your system failed just update with:
Menu > All > Install Updates
And test the package version again.
The link below lists other tests as well.
Source:
http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it
Re: Bash Vulnerability and Linux Lite - Valtam - 09-25-2014
IMPORTANT: If you have run Install Updates from the 25th onwards, then you are no longer vulnerable.
You bash version should now be > 4.3-7ubuntu1.3
To find out if you have the above version or higher, open a terminal and do (in 32 and 64 bit):
Code:
dpkg -s bash | grep VersionRun the 2 commands below from the terminal one at a time, each time it should return the word safe. If it returns the word vulnerable then do Menu, Install Updates and test again.
Code:
env X="() { :;} ; echo vulnerable" /bin/sh -c "echo safe"
env X="() { :;} ; echo vulnerable" bash -c "echo safe"Alternatively you can do:
Code:
sudo apt-get update && sudo apt-get install bashto get the latest version of bash.
Re: Bash Vulnerability and Linux Lite - Scott(0) - 09-25-2014
Since I was asked a few times, thought I pass it along.
The vulnerability test (in reply #3 by Valtam) is the same for both 32 and 64 bit version of Linux Lite.
Re: Bash Vulnerability and Linux Lite - Valtam - 09-25-2014
Thanks Scott, updated
I have left the greater-than sign in there next to the version number so there is no need to change it in the future.
Re: Bash Vulnerability and Linux Lite - newtusmaximus - 09-26-2014
Thanks for clarification and guidance. All OK here.
However
Are we vulnerable through our broadband routers?
Re: Bash Vulnerability and Linux Lite - Scott(0) - 09-26-2014
Valtam,
The bash package was updated again. The current version is:
Version: 4.3-7ubuntu1.3
Maybe this line should be updated in post #3 to prevent any confusion.
Quote:You bash version should now be > 4.3-7ubuntu1.1
Re: Bash Vulnerability and Linux Lite - Valtam - 09-26-2014
Done.
Sent from my mobile phone.
Re: Bash Vulnerability and Linux Lite - Coastie - 09-26-2014
For those like me who did not understand that shellshock is a bash vulnerability (or even what bash is) I am making this post so if they do a search for it they will find this thread.
I posted https://www.linuxliteos.com/forums/index.php?topic=941.msg5553#new because I did not know to search for bash.