Update more patches Re: Heads up: possible BASH security vulnerability

2014-10-06 Thread Michael D. Setzer II
averi > Subject: Re: Heads up: possible BASH security vulnerability > Send reply to:Community support for Fedora users > > > > Quoting Edik Landaveri : > > > > > #Thu Sep 25 19:11:30 PDT 2014 > > > > > > Debian already rel

Re: Heads up: possible BASH security vulnerability

2014-09-26 Thread Ian Malone
On 25 September 2014 20:11, jd1008 wrote: > > On 09/25/2014 01:50 AM, Ian Malone wrote: >> >> On 25 September 2014 01:36, jd1008 wrote: >>> >>> On 09/24/2014 06:27 PM, Chris Adams wrote: Once upon a time, jd1008 said: > > So, is this one of the ways javascripts exec bash to ins

Re: Heads up: possible BASH security vulnerability

2014-09-26 Thread Ian Malone
On 26 September 2014 05:43, Roger wrote: > I don't know what to think. I have tried all of the bash tests mentioned so > far and bash shell indicates they all fail as explained in the reports. > Therefore my shell in Ubuntu 14.04 must be already patched. Why is mine ok > yet others have not yet pa

Re: Heads up: possible BASH security vulnerability

2014-09-25 Thread Roger
I don't know what to think. I have tried all of the bash tests mentioned so far and bash shell indicates they all fail as explained in the reports. Therefore my shell in Ubuntu 14.04 must be already patched. Why is mine ok yet others have not yet patched? Has Linux not yet released the update?

Re: Heads up: possible BASH security vulnerability

2014-09-25 Thread Michael D. Setzer II
On 25 Sep 2014 at 19:45, Dave Stevens wrote: Date sent: Thu, 25 Sep 2014 19:45:52 -0700 From: Dave Stevens To: Community support for Fedora users , Edik Landaveri Subject:Re: Heads up: possible BASH security

Re: Heads up: possible BASH security vulnerability

2014-09-25 Thread Dave Stevens
Quoting Edik Landaveri : #Thu Sep 25 19:11:30 PDT 2014 Debian already released a patch GNU bash, version 4.3.25(1)-release-(x86_64-pc-linux-gnu) I assume Red Hat already have their hands into a patch as well. Just have to wait. I posted a CentOS patch three hours ago, I assume that came fro

Re: Heads up: possible BASH security vulnerability

2014-09-25 Thread Edik Landaveri
#Thu Sep 25 19:11:30 PDT 2014 Debian already released a patch GNU bash, version 4.3.25(1)-release-(x86_64-pc-linux-gnu) I assume Red Hat already have their hands into a patch as well. Just have to wait. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription opt

Re: Heads up: possible BASH security vulnerability

2014-09-25 Thread Dan Thurman
On 09/24/2014 03:56 PM, Patrick O'Callaghan wrote: > http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ > > From the article: > > The vulnerability affects versions 1.14 through 4.3 of GNU Bash. [...] > To check your system, from a comman

Re: Heads up: possible BASH security vulnerability

2014-09-25 Thread Lars E. Pettersson
On 09/25/14 22:51, Paul W. Frields wrote: If you keep an eye on the RSS feed for http://fedoramagazine.org you should see an update when the additional CVE-2014-7169 vulnerability has packages available. For fc20: Here is a list of

Re: Heads up: possible BASH security vulnerability

2014-09-25 Thread Paul W. Frields
On Thu, Sep 25, 2014 at 10:28:49PM +0300, jarmo wrote: > Thu, 25 Sep 2014 13:11:01 -0600 > jd1008 kirjoitti: > > > > Thanx Ian. > > I wonder if the BSD sh has the same vulnerability. > > > > Quick updates > > http://koji.fedoraproject.org/koji/buildinfo?buildID=580601 There is more context i

Re: Heads up: possible BASH security vulnerability

2014-09-25 Thread Daniel J Walsh
On 09/24/2014 08:27 PM, Chris Adams wrote: > Once upon a time, jd1008 said: >> So, is this one of the ways javascripts exec bash to install malware >> or do other nasty stuff? > This has nothing to do with Javascript. It is probably more serious to > servers, such as web servers, than to desktop

Re: Heads up: possible BASH security vulnerability

2014-09-25 Thread jarmo
Thu, 25 Sep 2014 13:11:01 -0600 jd1008 kirjoitti: > Thanx Ian. > I wonder if the BSD sh has the same vulnerability. > Quick updates http://koji.fedoraproject.org/koji/buildinfo?buildID=580601 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: h

Re: Heads up: possible BASH security vulnerability

2014-09-25 Thread jd1008
On 09/25/2014 01:50 AM, Ian Malone wrote: On 25 September 2014 01:36, jd1008 wrote: On 09/24/2014 06:27 PM, Chris Adams wrote: Once upon a time, jd1008 said: So, is this one of the ways javascripts exec bash to install malware or do other nasty stuff? This has nothing to do with Javascript

Re: Heads up: possible BASH security vulnerability

2014-09-25 Thread Ian Pilcher
On 09/24/2014 07:27 PM, Chris Adams wrote: > On a client system, there are some potential routes to exploiting this > as well. For example, I think the DHCP and PPP clients will run > external scripts to configure things (such as DNS, NTP, etc.), using > environment variables to pass information,

Re: [Fedora] Heads up: possible BASH security vulnerability

2014-09-25 Thread Chris Adams
Once upon a time, Walter Cazzola said: > I was wondering if it could be a good workaround to link /bin/sh to tcsh > instead of bash. I'm not using bash at all but probably something in the > system is so do you know some contraindication on a system with apache > and SVN servers? /bin/sh must be

Re: [Fedora] Heads up: possible BASH security vulnerability

2014-09-25 Thread Ian Malone
> On Wed, 24 Sep 2014, Patrick O'Callaghan wrote: > >> >> http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ >> >> From the article: >> >> The vulnerability affects versions 1.14 through 4.3 of GNU Bash. [...] >> To check your system, fro

Re: [Fedora] Heads up: possible BASH security vulnerability

2014-09-25 Thread Walter Cazzola
Dear Experts, I was wondering if it could be a good workaround to link /bin/sh to tcsh instead of bash. I'm not using bash at all but probably something in the system is so do you know some contraindication on a system with apache and SVN servers? Thanks Walter On Wed, 24 Sep 2014, Patrick O'Cal

Re: Heads up: possible BASH security vulnerability

2014-09-25 Thread Ian Malone
On 25 September 2014 01:36, jd1008 wrote: > > On 09/24/2014 06:27 PM, Chris Adams wrote: >> >> Once upon a time, jd1008 said: >>> >>> So, is this one of the ways javascripts exec bash to install malware >>> or do other nasty stuff? >> >> This has nothing to do with Javascript. It is probably mor

Re: Heads up: possible BASH security vulnerability

2014-09-25 Thread James Hogarth
On 25 Sep 2014 01:44, "Chris Adams" wrote: > > > As far as I know, that would require some other security vulnerability > first (at which point bash security is moot). > -- Heads up people the first patch was incomplete... This is now being tracked under: https://access.redhat.com/security/cve/

Re: Heads up: possible BASH security vulnerability

2014-09-24 Thread jd1008
On 09/24/2014 06:43 PM, Chris Adams wrote: Once upon a time, jd1008 said: Are you saying that a java script, being executed on your system via the browser, cannot also fork and exec bash? As far as I know, that would require some other security vulnerability first (at which point bash securit

Re: Heads up: possible BASH security vulnerability

2014-09-24 Thread Chris Adams
Once upon a time, jd1008 said: > Are you saying that a java script, being executed on your system > via the browser, cannot also fork and exec bash? As far as I know, that would require some other security vulnerability first (at which point bash security is moot). -- Chris Adams -- users mail

Re: Heads up: possible BASH security vulnerability

2014-09-24 Thread jd1008
On 09/24/2014 06:27 PM, Chris Adams wrote: Once upon a time, jd1008 said: So, is this one of the ways javascripts exec bash to install malware or do other nasty stuff? This has nothing to do with Javascript. It is probably more serious to servers, such as web servers, than to desktops. On a

Re: Heads up: possible BASH security vulnerability

2014-09-24 Thread Chris Adams
Once upon a time, jd1008 said: > So, is this one of the ways javascripts exec bash to install malware > or do other nasty stuff? This has nothing to do with Javascript. It is probably more serious to servers, such as web servers, than to desktops. On a web server, let's say you have some PHP or

Re: Heads up: possible BASH security vulnerability

2014-09-24 Thread jd1008
On 09/24/2014 05:40 PM, Kevin Fenzi wrote: On Wed, 24 Sep 2014 17:33:15 -0600 jd1008 wrote: On 09/24/2014 05:27 PM, Jared K. Smith wrote: On Wed, Sep 24, 2014 at 6:56 PM, Patrick O'Callaghan mailto:pocallag...@gmail.com>> wrote: Can we assume a patched version of Bash will be released

Re: Heads up: possible BASH security vulnerability

2014-09-24 Thread Patrick O'Callaghan
On Wed, 2014-09-24 at 19:27 -0400, Jared K. Smith wrote: > On Wed, Sep 24, 2014 at 6:56 PM, Patrick O'Callaghan > wrote: > > > Can we assume a patched version of Bash will be released shortly? > > > It's in updates-testing now, and has enough karma that it should be pushed > stable the next tim

Re: Heads up: possible BASH security vulnerability

2014-09-24 Thread Kevin Fenzi
On Wed, 24 Sep 2014 17:33:15 -0600 jd1008 wrote: > > On 09/24/2014 05:27 PM, Jared K. Smith wrote: > > > > On Wed, Sep 24, 2014 at 6:56 PM, Patrick O'Callaghan > > mailto:pocallag...@gmail.com>> wrote: > > > > Can we assume a patched version of Bash will be released > > shortly? > > > > > >

Re: Heads up: possible BASH security vulnerability

2014-09-24 Thread Ian Pilcher
On 09/24/2014 06:33 PM, jd1008 wrote: > So, could someone explain the nature of the vulnerability? Start here: https://rhn.redhat.com/errata/RHSA-2014-1293.html -- Ian Pilcher areq

Re: Heads up: possible BASH security vulnerability

2014-09-24 Thread jd1008
On 09/24/2014 05:27 PM, Jared K. Smith wrote: On Wed, Sep 24, 2014 at 6:56 PM, Patrick O'Callaghan mailto:pocallag...@gmail.com>> wrote: Can we assume a patched version of Bash will be released shortly? It's in updates-testing now, and has enough karma that it should be pushed stable

Re: Heads up: possible BASH security vulnerability

2014-09-24 Thread Jared K. Smith
On Wed, Sep 24, 2014 at 6:56 PM, Patrick O'Callaghan wrote: > Can we assume a patched version of Bash will be released shortly? It's in updates-testing now, and has enough karma that it should be pushed stable the next time the packages are mashed. See https://admin.fedoraproject.org/updates/b

Heads up: possible BASH security vulnerability

2014-09-24 Thread Patrick O'Callaghan
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ From the article: The vulnerability affects versions 1.14 through 4.3 of GNU Bash. [...] To check your system, from a command line, type: env x='() { :;}; echo vulnerable' bash -c "ech