Bash Vulnerability and Linux Lite

[rbdflyboy]

Thank you...got the info about this from PC World this morning. My Bash version passed and the first command was "safe". Failed the second command, did the update and am now safe. Thanks, again!

[Coastie]

For those like me who did not understand that shellshock is a bash vulnerability (or even what bash is) I am making this post so if they do a search for it they will find this thread.

I posted https://www.linuxliteos.com/forums/index.php?topic=941.msg5553#new because I did not know to search for bash.

[Jerry]

Done.

Sent from my mobile phone.

[Scott]

Valtam,

The bash package was updated again. The current version is:
Version: 4.3-7ubuntu1.3

Maybe this line should be updated in post #3 to prevent any confusion.

You bash version should now be > 4.3-7ubuntu1.1

[newtusmaximus]

Thanks for clarification and guidance. All OK here. 

However
Are we vulnerable through our  broadband routers?

[Jerry]

Thanks Scott, updated I have left the greater-than sign in there next to the version number so there is no need to change it in the future.

[Scott]

Since I was asked a few times, thought I pass it along.

The vulnerability test (in reply #3 by Valtam) is the same for both 32 and 64 bit version of Linux Lite.

[Jerry]

IMPORTANT: If you have run Install Updates from the 25th onwards, then you are no longer vulnerable.

You bash version should now be > 4.3-7ubuntu1.3
To find out if you have the above version or higher, open a terminal and do (in 32 and 64 bit):

Code: [Select]

dpkg -s bash | grep Version
Run the 2 commands below from the terminal one at a time, each time it should return the word safe. If it returns the word vulnerable then do Menu, Install Updates and test again.

Code: [Select]

env X="() { :;} ; echo vulnerable" /bin/sh -c "echo safe"

env X="() { :;} ; echo vulnerable" bash -c "echo safe"
Alternatively you can do:

Code: [Select]

sudo apt-get update && sudo apt-get install bash
to get the latest version of bash.

[Scott]

My system was already fixed via the normal LL update method:
Menu > All > Install Updates

You can also check the bash package version, type:

Code: [Select]

dpkg -s bash | grep Version
The fixed versions are:
4.3-7ubuntu1.1,
4.2-2ubuntu2.2, and
4.1-2ubuntu3.1

My laptop, for example:

Code: [Select]

scott@laptop:~$ dpkg -s bash | grep Version
Version: 4.3-7ubuntu1.1
So, I'm fixed!

If your system failed just update with:
Menu > All > Install Updates
And test the package version again.

The link below lists other tests as well.

Source:
http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it

[Jerry]

Both of mine just came back as 'stuff'. I assume you have updated?

Code: [Select]

jerry@comp:~$ env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
stuff
jerry@comp:~$ env X="() { :;} ; echo busted" bash -c "echo stuff"
bash: warning: X: ignoring function definition attempt
bash: error importing function definition for `X'
stuff
jerry@comp:~$

[Dookus]

I just ran the commands on LL2
 
env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
env X="() { :;} ; echo busted" bash -c "echo stuff" 

and the second command came back with "busted"

Meaning LL is vulnerable

I imagine the patch for this is reliant on Ubuntu developers?