Topic: [SOLVED] [UPDATE SEPT 26] Upstream immediate Security advisory

[guest22]

As per advisory explained here:

http://lists.centos.org/pipermail/centos/2014-September/146099.html

a fix has been made available for both SME8 and SME9.

You are advised to perform a 'yum update'  immediately.

[ I UPDATE SEPT 26 2014]
It seems that the above mentioned fix did not resolve the issue 100%.

https://access.redhat.com/security/cve/CVE-2014-7169

Please check the CentOS announcements for upcoming updates.

II UPDATE SEPT 26 2014
Upstream has released a new Bash package. This new package fixes the vulnerability as described here:

http://lists.centos.org/pipermail/centos/2014-September/146176.html

[Peasant]

I've one server running x64 SME 8 and one running i386 SME 8. The updates have appeared on the x64 box, but not the i386. Has anyone else found this?

[guest22]

I've one server running x64 SME 8 and one running i386 SME 8. The updates have appeared on the x64 box, but not the i386. Has anyone else found this?

The output on that box from 'rpm -q bash' should be 'bash-3.2-33.el5_10.4.i386'

[Peasant]

OK, will check it. Thanks.

[janet]

Peasant

My i386 box reports the bash update OK.
Do you have update reporting configured in server manager, & for the same frequency ?

[Peasant]

Think I may have found the problem. The CentOS and CentOS updates repositories are disabled on the i386 box, but enabled on the x64 box. I am assuming they should be enabled on both machines?

[janet]

Peasant

Yes
Was the 386 box updated from sme7 ?
To be sure you can reset all repos to standard defaults, see FAQ,, link at top of forums or here
http://wiki.contribs.org/SME_Server:Adding_Software#Restoring_Default_Yum_Repositories

[Peasant]

Thanks.

Both machines were a clean install and then a restore from a v7 backup via server manager. However since then the x64 machine has had another clean install and restore from backup due to hardware failure.

Looking at bash history, on both machines at some point I've run a command that disables the base and updates repos. I've a feeling it was to do with a bug, but I can't remember what exactly it was. The x64 machine's hardware failure was relatively recent so that is probably why all the repos are enabled in it.

Both machines are at different sites and are not connected.

[guest22]

Looking at bash history, on both machines at some point I've run a command that disables the base and updates repos. I've a feeling it was to do with a bug, but I can't remember what exactly it was.

Maybe a tip, you can add comments to your shell commands e.g.:

cat /etc/redhat-release #Check what version we are running

or

db yum_repositories setprop base status disabled # disable the base repo due to some bug, before enabling please check issue #12345 @Peasant

bash history will show your comments.

guest

[Peasant]

Maybe a tip, you can add comments to your shell commands e.g.:

Very useful, thanks for that.

[Peasant]

The output on that box from 'rpm -q bash' should be 'bash-3.2-33.el5_10.4.i386'

All as it should be now thanks.

[guest22]

Thanks for the feedback and closure of your issue Jim.