Page 1 of 5 123 ... LastLast
Results 1 to 10 of 43

Thread: update for "Shell Shock" / or how to remove bash

  1. #1
    Join Date
    Apr 2013
    Beans
    96

    update for "Shell Shock" / or how to remove bash

    Hi, is there an update for the 'shell shock' bug yet, or advice on how to remove bash or otherwise deal with this?
    when I try to sudo apt-get update, I get an error 'Could not resolve 'dl.google.com' - any advice?
    Could not resolve 'dl.google.com'



    Thanks

  2. #2
    Join Date
    Apr 2012
    Beans
    181
    Distro
    Ubuntu 19.10 Eoan Ermine

    Re: update for "Shell Shock" / or how to remove bash

    Is there any specific information about this vulnerability, never mind about how to deal with it?

    What is the vulnerability? Who is vulnerable and who is not? What is the attack mechanism?

  3. #3
    Join Date
    Apr 2012
    Beans
    181
    Distro
    Ubuntu 19.10 Eoan Ermine

    Re: update for "Shell Shock" / or how to remove bash

    Some info:

    https://blog.cloudsecurityalliance.o...an-heartbleed/

    https://access.redhat.com/articles/1200223

    I've already seen Robert Graham's mass scan visit one of my web servers checking for this vulnerability.

  4. #4
    Join Date
    Sep 2014
    Beans
    1

    Re: update for "Shell Shock" / or how to remove bash

    https://community.qualys.com/blogs/s...-cve-2014-6271

    doesn't matter too much - easy to fix and test.

    A simple test to check if your Bash is vulnerable is available publicly.


    • $ env var='() { ignore this;}; echo vulnerable' bash -c /bin/true


    Upon running the above command, an affected version of bash will output "vulnerable".

    Once the patch has been applied, the same test will return the following result.


    • bash: warning: var: ignoring function definition attempt
    • bash: error importing function definition for 'var'



    if vulnerable then ..
    apt-get update
    apt-get install bash
    then re-run the above test
    then go have a milkshake

  5. #5
    Join Date
    Sep 2014
    Beans
    6

    Re: update for "Shell Shock" / or how to remove bash

    test if your bash is vulnerable

    # env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

  6. #6
    Join Date
    Apr 2011
    Location
    Mystletainn Kick!
    Beans
    11,724
    Distro
    Ubuntu

    Re: update for "Shell Shock" / or how to remove bash

    Quote Originally Posted by Hodor View Post
    Hi, is there an update for the 'shell shock' bug yet, or advice on how to remove bash or otherwise deal with this?
    when I try to sudo apt-get update, I get an error 'Could not resolve 'dl.google.com' - any advice?
    Could not resolve 'dl.google.com'
    Seems that's a google repo.
    Do you have google packages installed?
    You might temporarily try disabling those repos so the update manager can get the ubuntu packages updated.
    After that try re-enabling them after the ubuntu packages are updated.

    And bash is an essential package, so don't try removing it.




    Quote Originally Posted by Newbunto View Post
    Is there any specific information about this vulnerability, never mind about how to deal with it?

    What is the vulnerability? Who is vulnerable and who is not? What is the attack mechanism?
    Ubuntu Security Notices
    http://www.ubuntu.com/usn/


    The Bash security notice
    http://www.ubuntu.com/usn/usn-2362-1/
    Splat Double Splat Triple Splat
    Earn Your Keep
    Don't mind me, I'm only passing through.
    Once in a blue moon, I'm actually helpful
    .

  7. #7
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    usn-2362-1

    Quote Originally Posted by deadflowr View Post
    The Bash security notice
    http://www.ubuntu.com/usn/usn-2362-1/
    These notices are also sent out via the security mailing list, if you (@hodor) want to follow:
    https://lists.ubuntu.com/mailman/lis...urity-announce
    They include only a little explanation but do provide pointers to more.

    Otherwise, checking for and applying updates daily works.

    I wonder if this bug will be marketed as a brand name like another recent one that does not need to be mentioned.

  8. #8
    Join Date
    Apr 2013
    Beans
    96

    Re: update for "Shell Shock" / or how to remove bash

    Thanks everyone for the help - all sorted.

  9. #9
    Join Date
    Apr 2008
    Location
    Norwich CT
    Beans
    2,661
    Distro
    Ubuntu Mate

    Re: update for "Shell Shock" / or how to remove bash

    oops
    Last edited by oldrocker99; September 25th, 2014 at 01:59 PM.

    I drink my Ubuntu black, no sugar.
    Ubuntu user 28819

  10. #10
    Join Date
    Apr 2011
    Location
    Mystletainn Kick!
    Beans
    11,724
    Distro
    Ubuntu

    Re: usn-2362-1

    Quote Originally Posted by Lars Noodén View Post
    These notices are also sent out via the security mailing list, if you (@hodor) want to follow:
    https://lists.ubuntu.com/mailman/lis...urity-announce
    They include only a little explanation but do provide pointers to more.

    Otherwise, checking for and applying updates daily works.

    I wonder if this bug will be marketed as a brand name like another recent one that does not need to be mentioned.
    +1 to subscribing to the mailing list, you can eiher get an email per announcement(bug alert) or a daily digest.
    +2 to setting security updates to daily.

    ShellShock is the Branded Name, so far.
    Splat Double Splat Triple Splat
    Earn Your Keep
    Don't mind me, I'm only passing through.
    Once in a blue moon, I'm actually helpful
    .

Page 1 of 5 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •