You should 'yum update' as soon as possible to resolve this issue.
Here's why you should care:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen...
Links to the centos updates:
CentOS-5: http://lists.centos.org/pipermail/centos-announce/2014-September/020582.html
CentOS-6: http://lists.centos.org/pipermail/centos-announce/2014-September/020585.html
CentOS-7: http://lists.centos.org/pipermail/centos-announce/2014-September/020583.html
On 09/24/2014 10:26 AM, Jim Perrin wrote:
You should 'yum update' as soon as possible to resolve this issue.
Here's why you should care:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen...
Links to the centos updates:
CentOS-5: http://lists.centos.org/pipermail/centos-announce/2014-September/020582.html
CentOS-6: http://lists.centos.org/pipermail/centos-announce/2014-September/020585.html
CentOS-7: http://lists.centos.org/pipermail/centos-announce/2014-September/020583.html
For informational purposes:
On Wed, Sep 24, 2014 at 11:11 AM, Johnny Hughes johnny@centos.org wrote:
On 09/24/2014 10:26 AM, Jim Perrin wrote:
You should 'yum update' as soon as possible to resolve this issue.
Here's why you should care:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen...
Links to the centos updates:
CentOS-5: http://lists.centos.org/pipermail/centos-announce/2014-September/020582.html
CentOS-6: http://lists.centos.org/pipermail/centos-announce/2014-September/020585.html
CentOS-7: http://lists.centos.org/pipermail/centos-announce/2014-September/020583.html
Thanks for the heads up.
good morning,
You should 'yum update' as soon as possible to resolve this issue.
I installed the update on C5 and C6 machines, but I do not see any difference in the output of "bash --version". Is that the expected behaviour?
C5 returns ---8<--- GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu) Copyright (C) 2005 Free Software Foundation, Inc. ---<8---
and C6 returns
---8<--- GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu) Copyright (C) 2009 Free Software Foundation, Inc. ---8<---
before and after the update!
best regards --- Michael Schumacher
On 09/25/2014 01:07 AM, Michael Schumacher wrote:
good morning,
You should 'yum update' as soon as possible to resolve this issue.
I installed the update on C5 and C6 machines, but I do not see any difference in the output of "bash --version". Is that the expected behaviour?
C5 returns ---8<--- GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu) Copyright (C) 2005 Free Software Foundation, Inc. ---<8---
and C6 returns
---8<--- GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu) Copyright (C) 2009 Free Software Foundation, Inc. ---8<---
before and after the update!
best regards
Michael Schumacher
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
That is not the way to check if you have the update installed. That is the major upstream bash version on which the Red Hat version is based ... this will likely never change throughout the lifetime of each individual man branch of CentOS .. that is, CentOS-5 will likely always say 3.2.25(1)-release, CentOS-6 will likely always say 4.1.2(1)-release, etc.
What you need to do to check the version is this:
rpm -q bash
the result should be (if you have the update):
for c5: bash-3.2-33.el5.1
for c6: bash-4.1.2-15.el6_5.1
for c7: bash-4.2.45-5.el7_0.2
Note: Some people may have ARCH enabled in their RPM commands, so a .i386, .i686, .x86_64 might be on the end of the above output, so for c7, it might say: bash-4.2.45-5.el7_0.2.x86_64
Thanks, Johnny Hughes
If I understood correctly, the current fix is incomplete and another fix is planned? Also, in the advisory, RH says that after the update, servers need to be rebooted... Really? Aside from cgi/php, just closing all shells isn't enough?
Thx, JD
John Doe wrote:
If I understood correctly, the current fix is incomplete and another fix is planned?
Yes. More info here - https://access.redhat.com/security/cve/CVE-2014-7169
Also, in the advisory, RH says that after the update, servers need to be rebooted... Really?
No. From https://access.redhat.com/articles/1200223
------------------- Do I need to reboot or restart services after installing this update?
No, a reboot of your system or any of your services is not required. This vulnerability is in the initial import of the process environment from the kernel. This only happens when Bash is started. After the update that fixes this issue is installed, such new processes will use the new code, and will not be vulnerable. Conversely, old processes will not be started again, so the vulnerability does not materialize. -------------------
Take the case of an Apache Bash CGI. This will have been loaded when Apache started, so Apache will have to be restarted to get the new one. There may be other similar cases. So the best thing is to reboot.
Cheers,
Cliff
On Fri, Sep 26, 2014 at 2:39 AM, John Doe jdmls@yahoo.com wrote:
If I understood correctly, the current fix is incomplete and another fix is planned? Also, in the advisory, RH says that after the update, servers need to be rebooted... Really? Aside from cgi/php, just closing all shells isn't enough?
Thx, JD
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I didn't notice you had mentioned CGI. CGI (and PHP) is only one case where a copy of bash is loaded. There are many other possibilities, eg wrapper bash scripts, bash shell called from programs. I don't know whether or not there are any such cases on my machines, or if the exploit can be executed through them, so I'd say that the best way to be sure is to reboot.
Cheers,
Cliff
On Fri, Sep 26, 2014 at 4:43 PM, Cliff Pratt enkiduonthenet@gmail.com wrote:
Take the case of an Apache Bash CGI. This will have been loaded when Apache started, so Apache will have to be restarted to get the new one. There may be other similar cases. So the best thing is to reboot.
Cheers,
Cliff
On Fri, Sep 26, 2014 at 2:39 AM, John Doe jdmls@yahoo.com wrote:
If I understood correctly, the current fix is incomplete and another fix is planned? Also, in the advisory, RH says that after the update, servers need to be rebooted... Really? Aside from cgi/php, just closing all shells isn't enough?
Thx, JD
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 2014-09-26, Cliff Pratt enkiduonthenet@gmail.com wrote:
Take the case of an Apache Bash CGI. This will have been loaded when Apache started, so Apache will have to be restarted to get the new one.
Based on my (admittedly limited) testing I do not believe this is the case. Apache exec()'s the interpreter on each request; it doesn't save the interpreter into its memory space, so each subsequent call should re-run the interpreter. That's one of the big reasons mod_perl and their ilk are popular: they do put the interpreter into httpd's memory, so the interpreter doesn't have to be called on each invocation.
I don't currently have a vulnerable interpreter available on a web server, but on the servers where I have an updated bash, the "vulnerable" message that's produced by the example code doesn't show up in a bash CGI on a web server I haven't restarted.
# example code env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
--keith
On 26 Sep 2014 05:46, "Cliff Pratt" enkiduonthenet@gmail.com wrote:
Take the case of an Apache Bash CGI. This will have been loaded when
Apache
started, so Apache will have to be restarted to get the new one. There may be other similar cases. So the best thing is to reboot.
This is false and a major misunderstanding of the vulnerability.
1) the vulnerability is just during initialisation of bash. Once it is running it is beyond the vulnerable stage and needs no restarting 2) in a CGI of #!/bin/bash or for a system call with any other language for CGI bash gets executed on demand... It does not do what you say...
On Fri, Sep 26, 2014 at 6:28 PM, James Hogarth james.hogarth@gmail.com wrote:
On 26 Sep 2014 05:46, "Cliff Pratt" enkiduonthenet@gmail.com wrote:
Take the case of an Apache Bash CGI. This will have been loaded when
Apache
started, so Apache will have to be restarted to get the new one. There
may
be other similar cases. So the best thing is to reboot.
This is false and a major misunderstanding of the vulnerability.
- the vulnerability is just during initialisation of bash. Once it is
running it is beyond the vulnerable stage and needs no restarting 2) in a CGI of #!/bin/bash or for a system call with any other language for CGI bash gets executed on demand... It does not do what you say...
You are 100% correct, sir. Sorry about the noise......
Cheers,
Cliff
On 24 Sep 2014 17:12, "Johnny Hughes" johnny@centos.org wrote:
For informational purposes:
As a by heads up that advisory has been updated since the updated packages were released.
The fix in the previous packages is incomplete and there is a new cve being tracked as a result:
On 09/25/2014 01:49 AM, James Hogarth wrote:
On 24 Sep 2014 17:12, "Johnny Hughes" johnny@centos.org wrote:
For informational purposes:
As a by heads up that advisory has been updated since the updated packages were released.
The fix in the previous packages is incomplete and there is a new cve being tracked as a result:
These are now released as well:
CentOS7: http://lists.centos.org/pipermail/centos-announce/2014-September/020592.html
CentOS6: http://lists.centos.org/pipermail/centos-announce/2014-September/020593.html
CentOS5: http://lists.centos.org/pipermail/centos-announce/2014-September/020594.html
*NOTE*: CentOS-4 has been past End Of Life for a long time (February 2012), and this bash issue is just one of many Critical ones that mean you should not be running CentOS-4 in production where it in any way touches the Internet:
http://lists.centos.org/pipermail/centos-announce/2012-February/018462.html
If you absolutely must run an EL4 workload, please do not do it on CentOS-4 and instead pay for and upgrade to RHEL-4 ELS as described in the above link from February 2012. CentOS-4 is unsafe .. don't use it .. don't do it .. please.
It is listed how one can check whether his system is vulnerable to shellshock or not & how to verify after the upgrade of bash rpm.
https://garage.godaddy.com/webpro/security/shellshock-vulnerability-need-kno...
On Fri, Sep 26, 2014 at 4:24 PM, Johnny Hughes johnny@centos.org wrote:
On 09/25/2014 01:49 AM, James Hogarth wrote:
On 24 Sep 2014 17:12, "Johnny Hughes" johnny@centos.org wrote:
For informational purposes:
As a by heads up that advisory has been updated since the updated
packages
were released.
The fix in the previous packages is incomplete and there is a new cve
being
tracked as a result:
These are now released as well:
CentOS7:
http://lists.centos.org/pipermail/centos-announce/2014-September/020592.html
CentOS6:
http://lists.centos.org/pipermail/centos-announce/2014-September/020593.html
CentOS5:
http://lists.centos.org/pipermail/centos-announce/2014-September/020594.html
*NOTE*: CentOS-4 has been past End Of Life for a long time (February 2012), and this bash issue is just one of many Critical ones that mean you should not be running CentOS-4 in production where it in any way touches the Internet:
http://lists.centos.org/pipermail/centos-announce/2012-February/018462.html
If you absolutely must run an EL4 workload, please do not do it on CentOS-4 and instead pay for and upgrade to RHEL-4 ELS as described in the above link from February 2012. CentOS-4 is unsafe .. don't use it .. don't do it .. please.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Better one -> https://support.godaddy.com/help/article/12120/patching-bash-on-your-server-...
On Fri, Sep 26, 2014 at 4:33 PM, Ankush Grover ankushcentos@gmail.com wrote:
It is listed how one can check whether his system is vulnerable to shellshock or not & how to verify after the upgrade of bash rpm.
https://garage.godaddy.com/webpro/security/shellshock-vulnerability-need-kno...
On Fri, Sep 26, 2014 at 4:24 PM, Johnny Hughes johnny@centos.org wrote:
On 09/25/2014 01:49 AM, James Hogarth wrote:
On 24 Sep 2014 17:12, "Johnny Hughes" johnny@centos.org wrote:
For informational purposes:
As a by heads up that advisory has been updated since the updated
packages
were released.
The fix in the previous packages is incomplete and there is a new cve
being
tracked as a result:
These are now released as well:
CentOS7:
http://lists.centos.org/pipermail/centos-announce/2014-September/020592.html
CentOS6:
http://lists.centos.org/pipermail/centos-announce/2014-September/020593.html
CentOS5:
http://lists.centos.org/pipermail/centos-announce/2014-September/020594.html
*NOTE*: CentOS-4 has been past End Of Life for a long time (February 2012), and this bash issue is just one of many Critical ones that mean you should not be running CentOS-4 in production where it in any way touches the Internet:
http://lists.centos.org/pipermail/centos-announce/2012-February/018462.html
If you absolutely must run an EL4 workload, please do not do it on CentOS-4 and instead pay for and upgrade to RHEL-4 ELS as described in the above link from February 2012. CentOS-4 is unsafe .. don't use it .. don't do it .. please.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 26/09/14 11:54, Johnny Hughes wrote:
On 09/25/2014 01:49 AM, James Hogarth wrote:
<snip> If you absolutely must run an EL4 workload, please do not do it on CentOS-4 and instead pay for and upgrade to RHEL-4 ELS as described in the above link from February 2012. CentOS-4 is unsafe .. don't use it .. don't do it .. please.
CentOS4 is perfectly safe to use :).
...... If it's in a Virtual Machine with no network access :).
Kind Regards, Jake Shipton (JakeMS) GPG Key: 0xE3C31D8F GPG Fingerprint: 7515 CC63 19BD 06F9 400A DE8A 1D0B A5CF E3C3 1D8F
Jake Shipton wrote:
On 26/09/14 11:54, Johnny Hughes wrote:
On 09/25/2014 01:49 AM, James Hogarth wrote:
<snip> If you absolutely must run an EL4 workload, please do not do it on CentOS-4 and instead pay for and upgrade to RHEL-4 ELS as described in the above link from February 2012. CentOS-4 is unsafe .. don't use it .. don't do it .. please.
CentOS4 is perfectly safe to use :).
...... If it's in a Virtual Machine with no network access :).
If you _really_ want to update bash on EL4, Oracle have updated (S)RPMS available - see:
https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.2.el4.src.rpm
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage...
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPacka...
James Pearson
If you absolutely must run an EL4 workload, please do not do it on CentOS-4 and instead pay for and upgrade to RHEL-4 ELS as described in the above link from February 2012. CentOS-4 is unsafe .. don't use it .. don't do it .. please.
Or, use the source, Luke. There are official patches for 3.x and 4.x.
The patched code is so old that even 4.2 patch 48 applies cleanly(*) to bash-2.05b, which is RHEL3 territory.
* minus the patchlevel.h bit
On 09/24/2014 12:11 PM, Johnny Hughes wrote:
On 09/24/2014 10:26 AM, Jim Perrin wrote:
You should 'yum update' as soon as possible to resolve this issue.
Here's why you should care:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen...
Links to the centos updates:
CentOS-5: http://lists.centos.org/pipermail/centos-announce/2014-September/020582.html
CentOS-6: http://lists.centos.org/pipermail/centos-announce/2014-September/020585.html
CentOS-7: http://lists.centos.org/pipermail/centos-announce/2014-September/020583.html
For informational purposes:
FYI: Update: 2014-09-25 03:10 UTC This article has been updated today 9/25/14 - saying the original patch is not complete.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 09/24/2014 12:11 PM, Johnny Hughes wrote:
On 09/24/2014 10:26 AM, Jim Perrin wrote:
You should 'yum update' as soon as possible to resolve this issue.
Here's why you should care:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen...
Links to the centos updates:
CentOS-5: http://lists.centos.org/pipermail/centos-announce/2014-September/020582.html
CentOS-6: http://lists.centos.org/pipermail/centos-announce/2014-September/020585.html
CentOS-7: http://lists.centos.org/pipermail/centos-announce/2014-September/020583.html
For informational purposes:
FYI: Update: 2014-09-25 03:10 UTC This article has been updated today 9/25/14 - saying the original patch is not complete.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Ankush Grover -
Cliff Pratt -
Jake Shipton -
James Hogarth -
James Pearson -
Jim Perrin -
John Doe -
Johnny Hughes -
Keith Keller -
lhecking@users.sourceforge.net -
Michael Schumacher -
Paul Norton -
Steve Clark -
Tom Bishop