Linux Lite Forums

Linux Lite Forums > General > On Topic > Bash Vulnerability and Linux Lite
Full Version: Bash Vulnerability and Linux Lite
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Dookus

09-25-2014, 05:46 AM
I just ran the commands on LL2

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
env X="() { :;} ; echo busted" bash -c "echo stuff" 

and the second command came back with "busted"

Meaning LL is vulnerable

I imagine the patch for this is reliant on Ubuntu developers?


valtam

09-25-2014, 09:20 AM
Both of mine just came back as 'stuff'. I assume you have updated?

Code:
jerry@comp:~$ env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
stuff
jerry@comp:~$ env X="() { :;} ; echo busted" bash -c "echo stuff"
bash: warning: X: ignoring function definition attempt
bash: error importing function definition for `X'
stuff
jerry@comp:~$

Scott(0)

09-25-2014, 12:24 PM
My system was already fixed via the normal LL update method:
Menu > All > Install Updates

You can also check the bash package version, type:
Code:
dpkg -s bash | grep Version

The fixed versions are:
4.3-7ubuntu1.1,
4.2-2ubuntu2.2, and
4.1-2ubuntu3.1

My laptop, for example:
Code:
scott@laptop:~$ dpkg -s bash | grep Version
Version: 4.3-7ubuntu1.1

So, I'm fixed!

If your system failed just update with:
Menu > All > Install Updates
And test the package version again.

The link below lists other tests as well.

Source:
http://askubuntu.com/questions/528101/wh...o-i-fix-it

valtam

09-25-2014, 07:20 PM
IMPORTANT: If you have run Install Updates from the 25th onwards, then you are no longer vulnerable.

You bash version should now be > 4.3-7ubuntu1.3
To find out if you have the above version or higher, open a terminal and do (in 32 and 64 bit):

Code:
dpkg -s bash | grep Version

Run the 2 commands below from the terminal one at a time, each time it should return the word safe. If it returns the word vulnerable then do Menu, Install Updates and test again.

Code:
env X="() { :;} ; echo vulnerable" /bin/sh -c "echo safe"

env X="() { :;} ; echo vulnerable" bash -c "echo safe"

Alternatively you can do:

Code:
sudo apt-get update && sudo apt-get install bash

to get the latest version of bash.

Scott(0)

09-25-2014, 08:44 PM
Since I was asked a few times, thought I pass it along.

The vulnerability test (in reply #3 by Valtam) is the same for both 32 and 64 bit version of Linux Lite.

valtam

09-25-2014, 08:46 PM
Thanks Scott, updated :) I have left the greater-than sign in there next to the version number so there is no need to change it in the future.

newtusmaximus

09-26-2014, 12:01 PM
Thanks for clarification and guidance. All OK here.  :)

However
Are we vulnerable through our  broadband routers?

Scott(0)

09-26-2014, 01:39 PM
Valtam,

The bash package was updated again. The current version is:
Version: 4.3-7ubuntu1.3

Maybe this line should be updated in post #3 to prevent any confusion.
Quote:You bash version should now be > 4.3-7ubuntu1.1

valtam

09-26-2014, 02:38 PM
Done.

Sent from my mobile phone.

Coastie

09-26-2014, 07:01 PM
For those like me who did not understand that shellshock is a bash vulnerability (or even what bash is) I am making this post so if they do a search for it they will find this thread.

I posted https://www.linuxliteos.com/forums/index...sg5553#new because I did not know to search for bash.
Pages: 1 2
Linux Lite Forums > General > On Topic > Bash Vulnerability and Linux Lite