Impact of CVE-2014-6271 and CVE-2014-7169 (Shellshock) on NetWare6.5 SP8

Similar Messages

• CVE-2014-6271 and CVE-2014-7169 / Oracle Linux

  Hi ,
  patches required to resolve the vulnerabilities described in CVE-2014-6271 and CVE-2014-7169 in Oracle linux 5 (x86) is "bash-3.2-33.el5_11.4.x86_64.rpm "
  from where i can get this patch, its not availible on support.oracle/patches !!
  Thanks,
  Thamer

  Your Oracle Linux system should be configured to automatically install packages either from the Unbreakable Linux Network or public-yum.oracle.com. You might want to ask your Linux sysadmin for assistance if your servers aren't already configured for updates.
  You can also check Chapter 1 and Chapter 2 of the Oracle Linux Administrator's Guide for more details on using ULN or public-yum: Oracle® Linux (it's for OL6 but the concepts are the same for OL5).

• NX-OS ( n7000-s1-dk9.5.1.3.bin ) BASH VULNERABILITY - CVE-2014-6271 and CVE-2014-7169

  Hi ,
  Nexus 7000 evaluation for CVE-2014-6271 and CVE-2014-7169 , I am referring below link to check for NX OS  - n7000-s1-dk9.5.1.3.bin
  https://tools.cisco.com/bugsearch/bug/CSCur04856
  5.1.3 is not mentioned in the affected list.Need help to know if 5.1 is affected with BASH Vulnerability .
  Thanks for help in advance .

  The concern with the bash shell is that services MAY be setup to run as
  users which use those shells, and therefore be able to have things
  injected into those shells. Nothing on NetWare uses bash by default,
  because NetWare is not anything like Linux/Unix in its use of shells.
  Sure, you can load bash for fun and profit on NetWare, but unless you
  explicitly request it the bash.nlm file is never used. On NetWare I do
  not think it is even possible to have any normal non-Bash environment
  variable somehow be exported/inherited into a bash shell, though I've
  never tried.
  Good luck.
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• Bash patch did not fix vulnerability CVE-2014-7169, please fix

  The latest patch for Bash bug that I just installed for Mavericks took care of the CVE-2014-6172 vulnerability though from my testing CVE-2014-7169 is still vulnerable.  Please fix all Bash vulnerabilities soon.

  Apple is on record as saying:
  The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," an Apple spokesperson told iMore. "Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.
  You do not appear to be running any of these advanced UNIX services, so can you tell us exactly what your concern is?
  Also, my testing shows that CVE-2014-7169 is fixed by using this test:
  env X='() { (a)=>\' sh -c "echo date"; cat echo; rm ./echo
  Did you forget to delete the file "echo" from your home folder by any chance?

• Shortened Fiscal Year and its impact on BI back end and Bex reports

  Hi All,
  Our client is making some changes to the fiscal year period.
  Becuase of some business requirements, we will have to shortened the fiscal year.
  Can you please suggest - what are the watch points when we do this?
                                          - what will be the impact to BI back end and Bex reports?
  Thanks,
  Nisha

  Hello Nisha,
  Since the fiscal year (Infobjects - 0FISCYEAR and/ 0FISCPER3) is compounded with fiscal year variant, therefore maintaining the correct variant in BI will automatically take care of showing the data correctly.
  So there are two things to be maintained in BI:
  1) To see that the variant definition.
  2) If you need to display the text of the fiscal periods, then the correct texts.
  Let me know if you need more clarifications.
  Regards,
  Shweta
  Edited by: Shweta Kesarwani on Jan 8, 2010 11:10 AM

• CVE-2014-6271 and CVE-2014-7169 Patch Availability Document for Oracle Linux

  Hi,
  Can you suggest from where we need to download bash rpm for OEL 6 :-
  bash-4.1.2-15.el6_5.2.x86_64.rpm
  bash-doc-4.1.2-15.el6_5.2.x86_64.rpm
  Thanks in Advance !!
  Mukesh

  First see the document I linked about creating a local yum mirror (How to Create a Local Yum Repository for Oracle Linux). I very strongly recommend setting this up so your systems can get other updates besides bash.
  The individual RPMs can be found at Index of /repo/OracleLinux/OL6/latest/x86_64/ -- but I cannot stress the importance of updating entire systems rather than just bash. If you are not updating your systems periodically, bash is just one of your worries (as you're undoubtedly vulnerable to hundreds of other exploits in other packages besides Shellshock). Please set up an update repository and use it.
  Patching only the vulnerabilities you see in the news is equivalent to locking your home's front door, but leaving the security alarm disconnected and the back door held open with a doorstop. You need all the updates, not just bash.

• CSCur05434 - Emergency Responder evaluation for CVE-2014-6271 and CVE-2014-7169

  So, is there going to be a COP file fix released for Emergency Responder or are we expected to know how to download and install the fixed version of Bash from Red Hat as the solution? For Call Manager, Unity and UCCX, there were COP files released...if this is not going to be the solution for ER, it would be nice if the bug report were clearer on the matter.

  There is one posted under "CER Upgrade Patch" , at least for 10. The bug report is not clear on that at all.
  Turns into: bash-3.2-33.el5_11.4
  after installing the patch.

• Telepresence endpoint evaluation for CVE-2014-6271 and CVE-2014-7169 aka "Shellshock"

  Please refer to the Cisco Security Advisory for more information.
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
  BUG ID: CSCur02591
  /Magnus

  Hi Magnus,
  Is blocking the management ports (HTTP/HTTPS/SSH/Telnet/basically everything under port 1024) sufficient to mitigate this issue for TelePresence systems?
  Or is the issue also present on the SIP and H.323 ports?

• CSCur00930 - CUCM evaluation for CVE-2014-6271, 2014-7169, 2014-6277 and 2014-6278 - 5

  I'm not finding any information for ELM.  Does the same COP file fix the BASH vulnerability in ELM.  Is ELM vulnerable?

  The concern with the bash shell is that services MAY be setup to run as
  users which use those shells, and therefore be able to have things
  injected into those shells. Nothing on NetWare uses bash by default,
  because NetWare is not anything like Linux/Unix in its use of shells.
  Sure, you can load bash for fun and profit on NetWare, but unless you
  explicitly request it the bash.nlm file is never used. On NetWare I do
  not think it is even possible to have any normal non-Bash environment
  variable somehow be exported/inherited into a bash shell, though I've
  never tried.
  Good luck.
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• ASR1K GNU Bash Vulnerability Rommon requirement (CVE-2014-6271 and CVE-2014-7169)

  Does any one knows which version recommended ROMmon Release by 3.13.X
  Because there was no information by release note  
  Thanks a lot~

  Your Oracle Linux system should be configured to automatically install packages either from the Unbreakable Linux Network or public-yum.oracle.com. You might want to ask your Linux sysadmin for assistance if your servers aren't already configured for updates.
  You can also check Chapter 1 and Chapter 2 of the Oracle Linux Administrator's Guide for more details on using ULN or public-yum: Oracle® Linux (it's for OL6 but the concepts are the same for OL5).

• CSCur05017 - N5K/N6K evaluation for CVE-2014-6271 and CVE-2014-7169 - 4

  What about if we run an older version not listed in "Known Affected Releases"? We currently have 2 Nexus switches with engine 5.0(3)N2(1).
  Thanks for any input on that.

  There is one posted under "CER Upgrade Patch" , at least for 10. The bug report is not clear on that at all.
  Turns into: bash-3.2-33.el5_11.4
  after installing the patch.

• CSCur02861 - UCCX evaluation for CVE-2014-6271, 2014-7169, 2014-6277 and 2014-6278 - 2

  The status of this bug is listed as fixed, however there is no version listed under the known fixed releases.
  Would anyone know how this is possible?

  There is one posted under "CER Upgrade Patch" , at least for 10. The bug report is not clear on that at all.
  Turns into: bash-3.2-33.el5_11.4
  after installing the patch.

• Impact of shifting database version and platform

  i've to migrate an existing system using Oracle7.3.2.3 on Sun solaris(sparc) 2.6 to Oracle 9i on Linux,
  could uyou just guide me what will be the impact on existing code and the database.
  is there any documents available regarding this

  There is a defined path for this in the Oracle9i upgrade manaual. I'm not sure, but the path I think you have to take is 7.3->8i, 8i->9i. You will have to recompile all programs like pro*C and things like that, but everything else should be consistent.

• Impact of revoking APEX_040000 view and privileges from public ?

  Forum...
  We are in an integration scenario where we do not want to have a user connecting through SQL see the apex product database objects to which apex has granted public access show up. ( As per the "Granted Priviliges" of the Apex documentation - specifically the views and tables for which public synonyms are created)
  Does anyone have an idea of what the impact of revoking these public privileges would be on apex users and applications ?
  Thanks
  Pierre

  Hi Pierre,
  I'm just curious - can you give a couple examples of objects for which you wish to revoke privileges from PUBLIC?
  Joel

• The impact of accrue at receipt and accrue at period end on project costing

  What is the impact of checking the accrue on receipt flag on the PO shipment on the PRC: Interface Supplier Costs behavior?

  Hi
  The system should be setup with Accrual Method on Receipt (not on period end).
  On PO shipments of Goods line type you may enable the check box - Accrue on Receipt. This is mandatory for Inventory destination and a default for Expense destination.
  When goods arrived from the supplier you enter a receipt transaction. That receipt transaction will get accounted and sent to SLA and GL.
  The process PRC: Interface Supplier Cost have several parameters. You can select to interface PO Receipts transactions into Projects Costing. You would select to interface invoices as well. The system will check if the receipt transaction has been interfaced to PJC. If so, only AP variances will be imported from AP to PJC. If the receipt transaction has not been interfaced to Projects, then the entire AP invoice will be imported.
  Another option is to always interface receipt transactions to Projects, and from AP to always interface only the variances, regardless if the receipt transaction has been already imported or not.
  Dina