Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.

Similar Messages

• CVE-2014-6271 - Shellshock- NO fix from NOVELL for OES11 SP1

  there is NOT even a mention on Novell's site that I can see
  DISAPOINTED
  SUSE has !!!
  https://www.suse.com/support/kb/doc.php?id=7015702
  This DOES not FIX OES 11 SP1 Servers
  So SLES Sp2 fix yes but NOT OES - at lease does NOT seem to work for me

  Hi.
  Am 29.09.2014 08:46, schrieb bharat1:
  >
  > Most Customers have a 3-5 year Server replacement cycle and MANY will /
  > may not patch unless absolutely necessary.
  Not patching operating systems these days and ages is not going to fly.
  Especailly not if you want security fixes.
  > If its not broke - don't fix it.
  Define "broke". Did yourserver stop to work?
  > Two opinions
  > (1) Important FLAW like this should be publicly available.... IMHO :)
  But it is.
  > (2) a product should have MINIMUM 5 Years FULL support
  But it has. A service pack is *NOT* a new product.
  CU,
  Massimo Rosen
  Novell Knowledge Partner
  No emails please!
  http://www.cfc-it.de

• Bash bug  CVE-2014-6271 patch availability?

  Hi everyone, does anyone know if Oracle has released a patch for the bash bug?  CVE-2014-6271 link below.
  NVD - Detail
  I'm looking for a patch on el5uek and el6uek I'm using: 2.6.39-400.126.1.el5uek, 2.6.39-400.21.1.el6uek.x86_64
  thanks!

  Check the following:
  [root@vm110 ~]# yum -y install yum-security
  [root@vm110 ~]# yum list-security | grep bash
  This system is not registered with ULN.
  You can use up2date --register to register.
  ULN support will be disabled.
  ELSA-2014-1293 security bash-3.2-33.el5.1.x86_64
  [root@vm110 ~]# yum info-security ELSA-2014-1293
  Loaded plugins: rhnplugin, security
  This system is not registered with ULN.
  You can use up2date --register to register.
  ULN support will be disabled.
  ===============================================================================
     bash security update
  ===============================================================================
    Update ID : ELSA-2014-1293
      Release : Oracle Linux 5
         Type : security
       Status : final
       Issued : 2014-09-24
         CVEs : CVE-2014-6271
  Description : [4.1.2-15.1]
              : - Check for fishy environment
              :   Resolves: #1141645
     Solution : This update is available via the Unbreakable Linux Network (ULN)
              : and the Oracle Public Yum Server. Details on how
              : to use ULN or http://public-yum.oracle.com to
              : apply this update are available at
              : http://linux.oracle.com/applying_updates.html.
       Rights : Copyright 2014 Oracle, Inc.
     Severity : Critical
  info-security done
  [root@vm110 ~]# yum -y install bash-3.2-33.el5.1
  If you cannot see the above and do not pay for a subscription, make sure you have correct yum repository setup.
  See Oracle Public Yum Server for details.
  To install:
  [root@vm110 ~]# yum -y install bash-3.2-33.el5.1

• My MacBook Pro is all of sudden having issues with pop up ads.  I am running OSX 10.5.8.  Any suggestions for fixing the problem?

  All of a sudden I am getting TONS of pop up ads.  I am on a Macbook Pro running OSX 10.5.8.  Anyone have any suggestions for fixing the problem?

  Take a look at my Adware Removal Guide.
  (Fair disclosure: The Safe Mac is my site, and contains a Donate button, so I may receive compensation for providing links to The Safe Mac. Donations are not required.)

• Bash vulnerability bash CVE-2014-6271 on Cisco devices

  Hi, all,
  Anybody know whether any Cisco devices are vulnerable to  recent bash CVE-2014-6271? I am especially concerned about ASA which opens https to the public.
  Thanks,

  Have a look here: 
  http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Bash_09252014.html
  and here:
  http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20140926-bash
  Under affected products. 

• [CVE-2014-6271] IronPort appliances affected by recent bash vulnerability?

  http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x
  Discussion?

  Cisco has issued an official PSIRT notice for the GNU Bash Environmental Variable Command Injection Vulnerability (CVE-2014-6271), please refer all inquiries to:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
  Please refer to the expanded "Affected Products".
  The following Cisco products are currently under investigation:
  Cable Modems
  Cisco CWMS
  Network Application, Service, and Acceleration
  Cisco ACE GSS 4400 Series Global Site Selector
  Cisco ASA
  Cisco GSS 4492R Global Site Selector
  Network and Content Security Devices
  Cisco IronPort Encryption Appliance
  Cisco Ironport WSA
  Routing and Switching - Enterprise and Service Provider
  Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500
  Cisco ISM
  Cisco NCS6000
  Voice and Unified Communications Devices
  Cisco Finesse
  Cisco MediaSense
  Cisco SocialMiner
  Cisco Unified Contact Center Express (UCCX)
  Products and services listed in the subsections below have had their exposure to this vulnerability confirmed. Additional products will be added to these sections as the investigation continues.

• Bash CVE-2014-6271 Vulnerability

  Excuse me if this was already posted. I searched title's only for bash and 6271 and didn't see any results.
  Cut and paste from CVE-2014-6271 Bash vulnerability allows remote execution arbitrary code:
  This morning a flaw was found in Bash with the way it evaluated certain environment variables. Basically an attacker could use this flaw to override or bypass environment restrictions to execute shell commands. As a result various services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
  Details on CVE-2014-6271 from the MITRE CVE dictionary and NIST NVD (page pending creation).
  I’m currently patching servers for this. The issue affects ALL products which use Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by applications. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such!
  To test if your version of Bash is vulnerable run the following command:
  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  If that command returns the following:
  vulnerable this is a test
  …then you are using a vulnerable version of Bash and should patch immediately. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:
  bash: warning: x: ignoring function definition attempt
  bash: error importing function definition for `x'
  this is a test
  Arch Linux CVE-2014-6271 patch:
  pacman -Syu
  Last edited by hydn (2014-09-28 20:57:41)

  On a related note.  I post this here as it might be of interest to some members....
  I just checked my DD-WRT based router for this vulnerability.   It comes stock with Busybox and does not seem to be vulnerable, but...   I keep bash on a separate partition which gets mounted on /opt.  That bash is vulnerable.  Until the DD-WRT project catches up, I suggest anyone using that router firmware consider disabling Bash for the time being and stick with BB.
  Also, as another aside, ArchArm has this fix in place now and is safely running on my Raspberry Pi.   
  I did kill the ssh service on the Windows Box that let me into bash via Cygwin.  Cygwin Bash is vulnerable as of when I began this post.
  Last edited by ewaller (2014-09-25 18:26:18)

• CVE-2014-6271 bash vulnerability

  more info on this here:
  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
  http://www.reddit.com/r/sysadmin/comments/2hc5rk/cve20146271_remote_code_executi on_through_bash/
  I'm assuming Apple will release a security update for this on supported versions of the Mac OS but in the meantime, is there a fix that we can apply?   What is an easy way to patch this on older OS versions that Apple is no longer supporting?    (perhaps something short of recompiling bash)

  I had foolishly imagined that the update to "Command Line Tools (OS X 10.9)" released (I thought?) today would fix this. It does not. The referenced fixes do, although, as sjabour said, don't just run those blindly: understand what they do.
  As an aside, after patching other Unix systems I care for, I also changed all users' (and, on Linux, root's) shells to something else (I like Zsh, although that may not be right for root in all cases). On Darwin, root's shell is "/bin/sh", but, as with most Linux distributions, that's actually just bash. You absolutely can execute Zsh as sh, and have it behave as an sh-alike, so if you aren't comfortable with patching and rebuilding, but are comfortable with basic SA practice (or you just don't have XCode for whatever reason), you could replace the bash /bin/sh with a hard link to /bin/zsh instead, like this:
  % cd /bin
  % sudo ln sh sh-real
  % sudo ln -f zsh sh
  % ls -li sh* zsh
    334241 -rwxr-xr-x  2 root  wheel   530320 Oct 31  2013 sh
     11118 -r-xr-xr-x  1 root  wheel   942308 Sep 24 23:53 sh-real
  18050387 ----------  1 root  wheel  1228304 Sep 24 23:51 sh.CVE-2014-6271
    334241 -rwxr-xr-x  2 root  wheel   530320 Oct 31  2013 zsh
  % sudo su -
  # echo $SHELL
  /bin/sh
  # /bin/sh --version
  zsh 5.0.2 (x86_64-apple-darwin13.0)

• Bash bug  CVE-2014-6271 patch availability for OL4?

  Hi,
  Kindly advise how to download the CVE-2014-7169  CVE-2014-6271 security patches for Oracle Linux 4?
  Rgds;
  Shirley

  Exactly the same way as you would for OL5, OL6 or OL7: either connect your machine to the Unbreakable Linux Network or public-yum.oracle.com and use the up2date tool to upgrade bash.

• NX-OS ( n7000-s1-dk9.5.1.3.bin ) BASH VULNERABILITY - CVE-2014-6271 and CVE-2014-7169

  Hi ,
  Nexus 7000 evaluation for CVE-2014-6271 and CVE-2014-7169 , I am referring below link to check for NX OS  - n7000-s1-dk9.5.1.3.bin
  https://tools.cisco.com/bugsearch/bug/CSCur04856
  5.1.3 is not mentioned in the affected list.Need help to know if 5.1 is affected with BASH Vulnerability .
  Thanks for help in advance .

  The concern with the bash shell is that services MAY be setup to run as
  users which use those shells, and therefore be able to have things
  injected into those shells. Nothing on NetWare uses bash by default,
  because NetWare is not anything like Linux/Unix in its use of shells.
  Sure, you can load bash for fun and profit on NetWare, but unless you
  explicitly request it the bash.nlm file is never used. On NetWare I do
  not think it is even possible to have any normal non-Bash environment
  variable somehow be exported/inherited into a bash shell, though I've
  never tried.
  Good luck.
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• Within redbox I can not click on a movie and get information about it, instead I get an error message that says that the situation may be temporary. yet i keep having the same problem. Do you have any idea how to fix the problem?

  Within redbox I can not click on a movie and get information about it, instead I get an error message that says that the situation may be temporary. yet i keep having the same problem. Do you have any idea how to fix the problem?

  Did you delete all receipts with iDVD in the file name  with either a .PKG or .BOM extension that reside in the HD/Library/Receipts folder and from the /var/db/receipts/  folder before installing the new copy?  If not then do so and delete the new application also.
  Click to view full size
  Then install iPhoto from the disk it came on originally and apply all necessary updaters: Apple - Support - Downloads
  OT

• Hi cannot import RAW photos from my canon eos 5d mark 3 to iphoto 9.6 with iOS  X Yosemite. Fotos are black. Did you have a solution for that?

  hi cannot import RAW photos from my canon eos 5d mark 3 to iphoto 9.6 with iOS  X Yosemite. Fotos are black. Did you have a solution for that?

  Thanks. Once ImageCapture had accessed the photos, THEN iPhoto began to pick up the data, so I was ultimately able to do both. It only worked with the cable, though, not the card readers. Weird.
  And I really appreciate the ImageCapture tip. Any idea why it worked?

• Is there a patch out for the bash bug (CVE 2014-6271)?

  Is there a patch out for the bash bug (CVE 2014-6271)? I saw one for Oracle Linux, so I hope there's one for Solaris as well.

  Hi,
  another approach could be to just build a custom bash package yourself using
  the available changes published here:
  https://java.net/projects/solaris-userland/sources/gate/show/components/bash
  That's the build infrastructure and source we use to build the official Solaris 11
  IPS packages.
  Regards,
  Ronald

• Impact of CVE-2014-6271 and CVE-2014-7169 (Shellshock) on NetWare6.5 SP8

  Greetings, all...
  I see that Novell has a handy security note out regarding CVE-2014-6271:
  http://support.novell.com/security/c...2014-6271.html
  as it pertains to SUSE and SLE, as well as one for CVE-2014-7169:
  http://support.novell.com/security/c...2014-7169.html
  Testing in a bash shell on one of my NetWare boxes, I've been pleasantly
  surprised, though remain unconvinced that the older bash port is entirely
  free of vulnerability, here.
  Yes, I do have a couple SSL sites running on NetWare Apache (2.2.27), though
  I don't believe that anyone is using mod_cgi or mod_cgid.
  (BTW, if anyone needs patched versions of bash 3.0.27 for CentOS 4.8, I have
  32 and 64-bit binary rpms on my FTP server:
  ftp.2rosenthals.com/pub/CentOS/4.8 .)
  Just curious as to what the consensus is regarding NetWare with this thing.
  TIA
  Lewis
  Lewis G Rosenthal, CNA, CLP, CLE, CWTS
  Rosenthal & Rosenthal, LLC www.2rosenthals.com
  Need a managed Wi-Fi hotspot? www.hautspot.com
  visit my IT blog www.2rosenthals.net/wordpress

  The concern with the bash shell is that services MAY be setup to run as
  users which use those shells, and therefore be able to have things
  injected into those shells. Nothing on NetWare uses bash by default,
  because NetWare is not anything like Linux/Unix in its use of shells.
  Sure, you can load bash for fun and profit on NetWare, but unless you
  explicitly request it the bash.nlm file is never used. On NetWare I do
  not think it is even possible to have any normal non-Bash environment
  variable somehow be exported/inherited into a bash shell, though I've
  never tried.
  Good luck.
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• CVE-2014-6271 and CVE-2014-7169 / Oracle Linux

  Hi ,
  patches required to resolve the vulnerabilities described in CVE-2014-6271 and CVE-2014-7169 in Oracle linux 5 (x86) is "bash-3.2-33.el5_11.4.x86_64.rpm "
  from where i can get this patch, its not availible on support.oracle/patches !!
  Thanks,
  Thamer

  Your Oracle Linux system should be configured to automatically install packages either from the Unbreakable Linux Network or public-yum.oracle.com. You might want to ask your Linux sysadmin for assistance if your servers aren't already configured for updates.
  You can also check Chapter 1 and Chapter 2 of the Oracle Linux Administrator's Guide for more details on using ULN or public-yum: Oracle® Linux (it's for OL6 but the concepts are the same for OL5).