Linux Lite Forums
General => On Topic => Topic started by: Dookus on September 25, 2014, 01:46:20 AM
-
I just ran the commands on LL2
env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
env X="() { :;} ; echo busted" bash -c "echo stuff"
and the second command came back with "busted"
Meaning LL is vulnerable
I imagine the patch for this is reliant on Ubuntu developers?
-
Both of mine just came back as 'stuff'. I assume you have updated?
[email protected]:~$ env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
stuff
[email protected]:~$ env X="() { :;} ; echo busted" bash -c "echo stuff"
bash: warning: X: ignoring function definition attempt
bash: error importing function definition for `X'
stuff
[email protected]:~$
-
My system was already fixed via the normal LL update method:
Menu > All > Install Updates
You can also check the bash package version, type:
dpkg -s bash | grep Version
The fixed versions are:
4.3-7ubuntu1.1,
4.2-2ubuntu2.2, and
4.1-2ubuntu3.1
My laptop, for example:
[email protected]:~$ dpkg -s bash | grep Version
Version: 4.3-7ubuntu1.1
So, I'm fixed!
If your system failed just update with:
Menu > All > Install Updates
And test the package version again.
The link below lists other tests as well.
Source:
http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it
-
IMPORTANT: If you have run Install Updates from the 25th onwards, then you are no longer vulnerable.
You bash version should now be > 4.3-7ubuntu1.3
To find out if you have the above version or higher, open a terminal and do (in 32 and 64 bit):
dpkg -s bash | grep Version
Run the 2 commands below from the terminal one at a time, each time it should return the word safe. If it returns the word vulnerable then do Menu, Install Updates and test again.
env X="() { :;} ; echo vulnerable" /bin/sh -c "echo safe"
env X="() { :;} ; echo vulnerable" bash -c "echo safe"
Alternatively you can do:
sudo apt-get update && sudo apt-get install bash
to get the latest version of bash.
-
Since I was asked a few times, thought I pass it along.
The vulnerability test (in reply #3 by Valtam) is the same for both 32 and 64 bit version of Linux Lite.
-
Thanks Scott, updated :) I have left the greater-than sign in there next to the version number so there is no need to change it in the future.
-
Thanks for clarification and guidance. All OK here. :)
However
Are we vulnerable through our broadband routers?
-
Valtam,
The bash package was updated again. The current version is:
Version: 4.3-7ubuntu1.3
Maybe this line should be updated in post #3 to prevent any confusion.
You bash version should now be > 4.3-7ubuntu1.1
-
Done.
Sent from my mobile phone.
-
For those like me who did not understand that shellshock is a bash vulnerability (or even what bash is) I am making this post so if they do a search for it they will find this thread.
I posted https://www.linuxliteos.com/forums/index.php?topic=941.msg5553#new because I did not know to search for bash.
-
Thank you...got the info about this from PC World this morning. My Bash version passed and the first command was "safe". Failed the second command, did the update and am now safe. Thanks, again!