Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.
Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.
The official communication is now posted to
https://blogs.oracle.com/security/entry/security_alert_cve_2014_7169
Similar Messages
-
CVE-2014-6271 - Shellshock- NO fix from NOVELL for OES11 SP1
there is NOT even a mention on Novell's site that I can see
DISAPOINTED
SUSE has !!!
https://www.suse.com/support/kb/doc.php?id=7015702
This DOES not FIX OES 11 SP1 Servers
So SLES Sp2 fix yes but NOT OES - at lease does NOT seem to work for meHi.
Am 29.09.2014 08:46, schrieb bharat1:
>
> Most Customers have a 3-5 year Server replacement cycle and MANY will /
> may not patch unless absolutely necessary.
Not patching operating systems these days and ages is not going to fly.
Especailly not if you want security fixes.
> If its not broke - don't fix it.
Define "broke". Did yourserver stop to work?
> Two opinions
> (1) Important FLAW like this should be publicly available.... IMHO :)
But it is.
> (2) a product should have MINIMUM 5 Years FULL support
But it has. A service pack is *NOT* a new product.
CU,
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de -
Bash bug CVE-2014-6271 patch availability?
Hi everyone, does anyone know if Oracle has released a patch for the bash bug? CVE-2014-6271 link below.
NVD - Detail
I'm looking for a patch on el5uek and el6uek I'm using: 2.6.39-400.126.1.el5uek, 2.6.39-400.21.1.el6uek.x86_64
thanks!Check the following:
[root@vm110 ~]# yum -y install yum-security
[root@vm110 ~]# yum list-security | grep bash
This system is not registered with ULN.
You can use up2date --register to register.
ULN support will be disabled.
ELSA-2014-1293 security bash-3.2-33.el5.1.x86_64
[root@vm110 ~]# yum info-security ELSA-2014-1293
Loaded plugins: rhnplugin, security
This system is not registered with ULN.
You can use up2date --register to register.
ULN support will be disabled.
===============================================================================
bash security update
===============================================================================
Update ID : ELSA-2014-1293
Release : Oracle Linux 5
Type : security
Status : final
Issued : 2014-09-24
CVEs : CVE-2014-6271
Description : [4.1.2-15.1]
: - Check for fishy environment
: Resolves: #1141645
Solution : This update is available via the Unbreakable Linux Network (ULN)
: and the Oracle Public Yum Server. Details on how
: to use ULN or http://public-yum.oracle.com to
: apply this update are available at
: http://linux.oracle.com/applying_updates.html.
Rights : Copyright 2014 Oracle, Inc.
Severity : Critical
info-security done
[root@vm110 ~]# yum -y install bash-3.2-33.el5.1
If you cannot see the above and do not pay for a subscription, make sure you have correct yum repository setup.
See Oracle Public Yum Server for details.
To install:
[root@vm110 ~]# yum -y install bash-3.2-33.el5.1 -
All of a sudden I am getting TONS of pop up ads. I am on a Macbook Pro running OSX 10.5.8. Anyone have any suggestions for fixing the problem?
Take a look at my Adware Removal Guide.
(Fair disclosure: The Safe Mac is my site, and contains a Donate button, so I may receive compensation for providing links to The Safe Mac. Donations are not required.) -
Bash vulnerability bash CVE-2014-6271 on Cisco devices
Hi, all,
Anybody know whether any Cisco devices are vulnerable to recent bash CVE-2014-6271? I am especially concerned about ASA which opens https to the public.
Thanks,Have a look here:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Bash_09252014.html
and here:
http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Under affected products. -
[CVE-2014-6271] IronPort appliances affected by recent bash vulnerability?
http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x
Discussion?Cisco has issued an official PSIRT notice for the GNU Bash Environmental Variable Command Injection Vulnerability (CVE-2014-6271), please refer all inquiries to:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Please refer to the expanded "Affected Products".
The following Cisco products are currently under investigation:
Cable Modems
Cisco CWMS
Network Application, Service, and Acceleration
Cisco ACE GSS 4400 Series Global Site Selector
Cisco ASA
Cisco GSS 4492R Global Site Selector
Network and Content Security Devices
Cisco IronPort Encryption Appliance
Cisco Ironport WSA
Routing and Switching - Enterprise and Service Provider
Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500
Cisco ISM
Cisco NCS6000
Voice and Unified Communications Devices
Cisco Finesse
Cisco MediaSense
Cisco SocialMiner
Cisco Unified Contact Center Express (UCCX)
Products and services listed in the subsections below have had their exposure to this vulnerability confirmed. Additional products will be added to these sections as the investigation continues. -
Bash CVE-2014-6271 Vulnerability
Excuse me if this was already posted. I searched title's only for bash and 6271 and didn't see any results.
Cut and paste from CVE-2014-6271 Bash vulnerability allows remote execution arbitrary code:
This morning a flaw was found in Bash with the way it evaluated certain environment variables. Basically an attacker could use this flaw to override or bypass environment restrictions to execute shell commands. As a result various services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
Details on CVE-2014-6271 from the MITRE CVE dictionary and NIST NVD (page pending creation).
I’m currently patching servers for this. The issue affects ALL products which use Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by applications. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such!
To test if your version of Bash is vulnerable run the following command:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If that command returns the following:
vulnerable this is a test
…then you are using a vulnerable version of Bash and should patch immediately. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Arch Linux CVE-2014-6271 patch:
pacman -Syu
Last edited by hydn (2014-09-28 20:57:41)On a related note. I post this here as it might be of interest to some members....
I just checked my DD-WRT based router for this vulnerability. It comes stock with Busybox and does not seem to be vulnerable, but... I keep bash on a separate partition which gets mounted on /opt. That bash is vulnerable. Until the DD-WRT project catches up, I suggest anyone using that router firmware consider disabling Bash for the time being and stick with BB.
Also, as another aside, ArchArm has this fix in place now and is safely running on my Raspberry Pi.
I did kill the ssh service on the Windows Box that let me into bash via Cygwin. Cygwin Bash is vulnerable as of when I began this post.
Last edited by ewaller (2014-09-25 18:26:18) -
CVE-2014-6271 bash vulnerability
more info on this here:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
http://www.reddit.com/r/sysadmin/comments/2hc5rk/cve20146271_remote_code_executi on_through_bash/
I'm assuming Apple will release a security update for this on supported versions of the Mac OS but in the meantime, is there a fix that we can apply? What is an easy way to patch this on older OS versions that Apple is no longer supporting? (perhaps something short of recompiling bash)I had foolishly imagined that the update to "Command Line Tools (OS X 10.9)" released (I thought?) today would fix this. It does not. The referenced fixes do, although, as sjabour said, don't just run those blindly: understand what they do.
As an aside, after patching other Unix systems I care for, I also changed all users' (and, on Linux, root's) shells to something else (I like Zsh, although that may not be right for root in all cases). On Darwin, root's shell is "/bin/sh", but, as with most Linux distributions, that's actually just bash. You absolutely can execute Zsh as sh, and have it behave as an sh-alike, so if you aren't comfortable with patching and rebuilding, but are comfortable with basic SA practice (or you just don't have XCode for whatever reason), you could replace the bash /bin/sh with a hard link to /bin/zsh instead, like this:
% cd /bin
% sudo ln sh sh-real
% sudo ln -f zsh sh
% ls -li sh* zsh
334241 -rwxr-xr-x 2 root wheel 530320 Oct 31 2013 sh
11118 -r-xr-xr-x 1 root wheel 942308 Sep 24 23:53 sh-real
18050387 ---------- 1 root wheel 1228304 Sep 24 23:51 sh.CVE-2014-6271
334241 -rwxr-xr-x 2 root wheel 530320 Oct 31 2013 zsh
% sudo su -
# echo $SHELL
/bin/sh
# /bin/sh --version
zsh 5.0.2 (x86_64-apple-darwin13.0) -
Bash bug CVE-2014-6271 patch availability for OL4?
Hi,
Kindly advise how to download the CVE-2014-7169 CVE-2014-6271 security patches for Oracle Linux 4?
Rgds;
ShirleyExactly the same way as you would for OL5, OL6 or OL7: either connect your machine to the Unbreakable Linux Network or public-yum.oracle.com and use the up2date tool to upgrade bash.
-
Hi ,
Nexus 7000 evaluation for CVE-2014-6271 and CVE-2014-7169 , I am referring below link to check for NX OS - n7000-s1-dk9.5.1.3.bin
https://tools.cisco.com/bugsearch/bug/CSCur04856
5.1.3 is not mentioned in the affected list.Need help to know if 5.1 is affected with BASH Vulnerability .
Thanks for help in advance .The concern with the bash shell is that services MAY be setup to run as
users which use those shells, and therefore be able to have things
injected into those shells. Nothing on NetWare uses bash by default,
because NetWare is not anything like Linux/Unix in its use of shells.
Sure, you can load bash for fun and profit on NetWare, but unless you
explicitly request it the bash.nlm file is never used. On NetWare I do
not think it is even possible to have any normal non-Bash environment
variable somehow be exported/inherited into a bash shell, though I've
never tried.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below... -
Within redbox I can not click on a movie and get information about it, instead I get an error message that says that the situation may be temporary. yet i keep having the same problem. Do you have any idea how to fix the problem?
Did you delete all receipts with iDVD in the file name with either a .PKG or .BOM extension that reside in the HD/Library/Receipts folder and from the /var/db/receipts/ folder before installing the new copy? If not then do so and delete the new application also.
Click to view full size
Then install iPhoto from the disk it came on originally and apply all necessary updaters: Apple - Support - Downloads
OT -
hi cannot import RAW photos from my canon eos 5d mark 3 to iphoto 9.6 with iOS X Yosemite. Fotos are black. Did you have a solution for that?
Thanks. Once ImageCapture had accessed the photos, THEN iPhoto began to pick up the data, so I was ultimately able to do both. It only worked with the cable, though, not the card readers. Weird.
And I really appreciate the ImageCapture tip. Any idea why it worked? -
Is there a patch out for the bash bug (CVE 2014-6271)?
Is there a patch out for the bash bug (CVE 2014-6271)? I saw one for Oracle Linux, so I hope there's one for Solaris as well.
Hi,
another approach could be to just build a custom bash package yourself using
the available changes published here:
https://java.net/projects/solaris-userland/sources/gate/show/components/bash
That's the build infrastructure and source we use to build the official Solaris 11
IPS packages.
Regards,
Ronald -
Impact of CVE-2014-6271 and CVE-2014-7169 (Shellshock) on NetWare6.5 SP8
Greetings, all...
I see that Novell has a handy security note out regarding CVE-2014-6271:
http://support.novell.com/security/c...2014-6271.html
as it pertains to SUSE and SLE, as well as one for CVE-2014-7169:
http://support.novell.com/security/c...2014-7169.html
Testing in a bash shell on one of my NetWare boxes, I've been pleasantly
surprised, though remain unconvinced that the older bash port is entirely
free of vulnerability, here.
Yes, I do have a couple SSL sites running on NetWare Apache (2.2.27), though
I don't believe that anyone is using mod_cgi or mod_cgid.
(BTW, if anyone needs patched versions of bash 3.0.27 for CentOS 4.8, I have
32 and 64-bit binary rpms on my FTP server:
ftp.2rosenthals.com/pub/CentOS/4.8 .)
Just curious as to what the consensus is regarding NetWare with this thing.
TIA
Lewis
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC www.2rosenthals.com
Need a managed Wi-Fi hotspot? www.hautspot.com
visit my IT blog www.2rosenthals.net/wordpressThe concern with the bash shell is that services MAY be setup to run as
users which use those shells, and therefore be able to have things
injected into those shells. Nothing on NetWare uses bash by default,
because NetWare is not anything like Linux/Unix in its use of shells.
Sure, you can load bash for fun and profit on NetWare, but unless you
explicitly request it the bash.nlm file is never used. On NetWare I do
not think it is even possible to have any normal non-Bash environment
variable somehow be exported/inherited into a bash shell, though I've
never tried.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below... -
CVE-2014-6271 and CVE-2014-7169 / Oracle Linux
Hi ,
patches required to resolve the vulnerabilities described in CVE-2014-6271 and CVE-2014-7169 in Oracle linux 5 (x86) is "bash-3.2-33.el5_11.4.x86_64.rpm "
from where i can get this patch, its not availible on support.oracle/patches !!
Thanks,
ThamerYour Oracle Linux system should be configured to automatically install packages either from the Unbreakable Linux Network or public-yum.oracle.com. You might want to ask your Linux sysadmin for assistance if your servers aren't already configured for updates.
You can also check Chapter 1 and Chapter 2 of the Oracle Linux Administrator's Guide for more details on using ULN or public-yum: Oracle® Linux (it's for OL6 but the concepts are the same for OL5).
Maybe you are looking for
-
I am having a lot of trouble downloading itunes.My latest error message is that MediaToolbox.dll is missing. I have been trying to fix this for three days now .And it all started with the last update .Can anyone help?
-
BO Edge 4.0 Installer stuck on "Run command-line executable"
Hi, Our BO Edge BI Server 4.0 Installer on Windows Server 2008R2 is stuck on one of the last steps; "Run command-line executable". Before is was stuck on "WaitForCMSForTheFirstTime". We upped the RAM to 16GB and then the installer went past this, but
-
[OSB] Invoking OSB HTTP proxy as a part of a global transaction
Hi, my question is, can a OSB HTTP proxy be executed in context of the global transaction? I did two tests. One had the following scenario: HTTP OSB proxy invokes JMS OSB proxy that invokes an "Insert to database" business services. Both of the proxi
-
System power shutdowns in Premiere
My system is suffering complete shutdowns as if the power cable was pulled out. It sometimes happens when trying to boot up but always happens in a matter of minutes when I'm editing in Premiere, even with just 2 tracks and minmal effects. A timelin
-
Ctrl + D, Placing images
Hi, I am very new to InDesign. I have a question on placing images in CS 4. In the pages I create a frame 420 x 320 and then I place a image of the same size into the frame. The images are all the same size as the frame, it is a photo album, all imag