"Bash" bug?

cicero · September 25, 2014, 8:46am

Anyone know anything about this apparent bug and if Peppermint 5 is vulnerable?

Means nothing to me but it seems to be being widely reported today.

chemicalfan · September 25, 2014, 8:58am

Link?

Edit: There was a patch for bash yesterday, according to Ubuntu’s changelog it was to fix CVE-2014-6271, but whether this is the same as reported, I don’t know at the moment (probably is though)

Edit 2: RedHat don’t seem to think it’s fixed yet… https://access.redhat.com/security/cve/CVE-2014-7169

Mark_Greaves_PCNetSp · September 25, 2014, 9:35am

If Peppermint 5 is up-to-date, the patched version of bash should already be present.

If you want to check:

dpkg -s bash | grep Version

should return

Version: 4.3-7ubuntu1.1

or later … if it does you’re OK, if it doesn’t run:-

menu > System Tools > Software Updater

then check the version again.

Source:
(Ubuntu Security Notice USN-2362-1 for CVE-2014-6271 bash vulnerability)
http://www.ubuntu.com/usn/usn-2362-1/

–

chemicalfan · September 25, 2014, 10:43am

But I’m assuming that the patch Ubuntu issued hasn’t fixed it (otherwise surely RedHat would have nicked it, under the GPL?).
So, I’m expecting another patch to be issued in the next day or two.

In fairness, I can’t see how it could be remotely exploited unless you’ve already got/accepting remote connections (i.e. a website). Even then, if your website cleans the incoming data, again it shouldn’t be a problem (unless I’ve mis-understood it, probably have)

Mark_Greaves_PCNetSp · September 25, 2014, 2:30pm

You’re right … the incomplete fix has been reassigned CVE-2014-7169 … so I’d expect another update fairly soon.

And I’d agree, home users have little to worry about anyway.

chemicalfan · September 25, 2014, 3:01pm

Just thought I’d take the opportunity to point out the awesomeness of open source software here vs closed source (i.e. Windows)

cicero · September 25, 2014, 5:05pm

Mark Greaves (PCNetSpec) post:3:

If Peppermint 5 is up-to-date, the patched version of bash should already be present.

If you want to check:
dpkg -s bash | grep Version
should return
Version: 4.3-7ubuntu1.1
or later … if it does you’re OK, if it doesn’t run:-

menu > System Tools > Software Updater

Source:
(Ubuntu Security Notice USN-2362-1 for CVE-2014-6271 bash vulnerability)
http://www.ubuntu.com/usn/usn-2362-1/

–

Thanks, Mark

Have done as you suggested and it returned the text you mentioned.

Can i ask if this is the same for Mint 17 as my friend uses it?

Thanks.

Mark_Greaves_PCNetSp · September 25, 2014, 5:25pm

Yeah, should be the same for Mint 17
(or any other Ubuntu 14.04 based distro for that matter)

–

cicero · September 25, 2014, 6:33pm

Thanks very much, I’ll let her know tomorrow.

Regards,

Doug

Mark_Greaves_PCNetSp · September 26, 2014, 1:52pm

I’ve just received a second security update to bash … haven’t checked the changelog yet, but hopefully this puts this bug to bed.

[EDIT]

Changelog
bash (4.3-7ubuntu1.3) trusty-security; urgency=medium

Updated debian/patches/CVE-2014-7169.diff to also patch y.tab.c in
case it doesn’t get regenerated when built (LP: #1374207)
– Marc Deslauriers [email protected] Thu, 25 Sep 2014 21:20:03 -0400

Guess we’ll have to wait and see if anyone finds this one “incomplete”