Topic: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-62

[ghorst352]

Just seeing if there has been any discussion regarding this vulnerability that just came out.

https://www.us-cert.gov/ncas/alerts/TA14-268A

[DanB35]

You mean, like this topic, posted yesterday?
http://forums.contribs.org/index.php/topic,51137.0.html

There's an update already out for SME 8 and 9.  Install it and you're covered.

[jim7jim]

Can someone tell me the steps to install this? My software installer pane shows the system is up to date and when I do a 'yum install' I get back 'No Packages marked for Update'.

Also, is there a way to get the current version of Bash?

TIA

[guest22]

Also, is there a way to get the current version of Bash?

Maybe you have been caught in a mid air collision of package release, mirror sync and your yum.

Please check the Bash version by 'rpm -q bash' and see in the main post if you have the latest.

[jim7jim]

'rpm -q bash' yields -->   bash-3.2-33.el5_10.4

I saw you mention bash version 4.1.2 in another post but is that for CentOS 6? The version I have above is ok for CentOS 5 (SME 8.1), right?

[guest22]

as per http://lists.centos.org/pipermail/centos-announce/2014-September/020594.html for SME8

[jim7jim]

Thank you very much for the assistance!

[ghorst352]

Is there any reason why using bash --version is different than rpm -q bash command?   I bring this up as an alarm that is on the redhat forums so I would imagine somebody knows about this or perhaps I have been misguided from the forum.  Thanks.

[root@mail ~]# rpm -q bash
bash-3.2-33.el5_10.4
[root@mail ~]# bash --version
GNU bash, version 3.2.25(1)-release (i386-redhat-linux-gnu)

[ghorst352]

Nevermind, this is a noted issue with the command not reflecting the correct version.

https://www.centos.org/forums/viewtopic.php?f=24&t=48648

[soundrolf]

There is a shellscript out to check the bash if vulnerable or not

https://github.com/hannob/bashcheck

Rolf

[devtay]

Thanks for posting this.

There is a shellscript out to check the bash if vulnerable or not

https://github.com/hannob/bashcheck

Rolf

[guest22]

Thanks for posting this.

Why please? What will you do with any outcome?

[devtay]

Not much.  it's more for my peace of mind than anything else. Maybe learn a little more about my server and how to maintain it? I just appreciate that people are willing to help out here.

[Mntsnow]

Replying here as this is where the topic dealing with shellshock for SME9 linked me to...

Anyways I've looked and I do show the new version of bash (bash-4.1.2-15.el6_5.2) but when check against my server it still shows a vulnerability namely "CVE-2014-6277" as shown from the shellshock test from shellshocker.net.  Note: I added the colors below

root@sme-3 ~]# curl https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
101  2533  101  2533    0     0   6305      0 --:--:-- --:--:-- --:--:-- 12728
CVE-2014-6271 (original shellshock): not vulnerable
bash: line 16:  5024 Segmentation fault      bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
[root@sme-3 ~]# exit

What do I need to do to fix that issue or is it something I don't need to worry about?

[Stefano]

you should/could search for CVE-2014-6277 in RH's bugzilla and with google..

we can only wait for upstream bugfix