Current info i’ve got:
IDR’s are in test for
Solaris 11.2 -> 11.2 SRU 2.5
Solaris 11.1 -> Solaris 11.1 SRU 12.5
Solaris 11.1 SRU 13.6 -> Solaris 11.1 SRU 21.4.1
Solaris 10 (with dependency on 12654{6..7}-05 already in place)
Solaris 9
And Solaris 8 coming soon.
Ian McGinley
Application Technology
Consumer and Digital - Online
03 8647 2433
0457 724 419
From: Boyd Adamson [mailto:[email protected]]
Sent: Thursday, 25 September 2014 6:55 PM
To: Andrew Watkins
Cc: [email protected]
Subject: Re: [msosug] bash vulnerability in Solaris?.
Will indeed be interesting to see what they do. Another aspect is that in the
past Solaris 11 package updates have only ever been bundled into SRUs that
also included reboot-requiring packages. If they continue this practice then we
will be rebooting for an update that really only requires replacing a single
binary, while our Linux systems are already upgraded without outage.
On 25 Sep 2014, at 6:27 pm, Andrew Watkins
<[email protected]<mailto:[email protected]>> wrote:
Yes, we could all compile and install a new version or remove bash, but it
will be interesting to see how Oracle handle it for all the Solaris 11
releases. Currently they only release patches for the latest version 11.2, so
that is why I am interested in what they will do for this one.
What happens in the Zero Day Security bug was in the Solaris 11.0 kernel, so
there is no way of you fixing it? Will they only release a patch for 11.2 or
will they back port?
Happy fixing.
Andrew
On 25/09/2014 09:18, Ben Couldrey wrote:
We should all be running zsh anyway… (sorry Boyd, had to get in before you did)
Ben
On 25 Sep 2014, at 6:13 pm, Andrew Watkins
<[email protected]<mailto:[email protected]>> wrote:
It will be interesting if Oracle release a bash patch for all Solaris 11
versions (11, 11.1 and 11.2).
Or will the force everyone to go to Solaris 11.2 SRU latest
Andrew
On 25/09/2014 08:21, McGinley, Ian R wrote:
Log an SR asking for it.
We’ve got one in the system for tracking internal change management purposes.
In the mean time if it’s super dangerous for you, then pkgrm SUNWbash, or at
least chmod 000 /bin/bash
Ian McGinley
Application Technology
Consumer and Digital - Online
03 8647 2433
0457 724 419
From: Tony Payne [mailto:[email protected]]
Sent: Thursday, 25 September 2014 11:39 AM
To: msosug
Subject: [msosug] bash vulnerability in Solaris?.
Hi All,
I'm sure you've all heard about the bash vulnerability where:
*"specially-crafted environment variables can be used to inject shell commands"
unearthed by Stephane Chazelas very recently?.
Many linux flavors have already released patches and according to the following
test (see in full at: https://access.redhat.com/articles/1200223) Solaris 10 at
least appears to be vulnerable.
=========================
Diagnostic Steps
To test if your version of Bash is vulnerable to this issue, run the following
command:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the output of the above command looks as follows:
vulnerable
this is a test
you are using a vulnerable version of Bash. The patch used to fix this issue
ensures that no code is allowed after the end of a Bash function. Thus, if you
run the above example with the patched version of Bash, you should get an
output similar to:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
=========================
Does anyone know if there is, or is planned, a patch for Solaris' bash
implementation?.
*
https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=70160000000e8eaAAA&;
--
Cheers,
Tony.
\|/ ____ \|/
@~/ ,. \~@
/_( \__/ )_\
+------------------------------\__U_/----------------------------------+
_______________________________________________
msosug mailing list
[email protected]<mailto:[email protected]>
http://mexico.purplecow.org/m/listinfo/msosug
--
Andrew Watkins * Birkbeck, University of London * Computer Science *
* UKOUG Solaris SIG Co-Chair *
http://notallmicrosoft.blogspot.com/
_______________________________________________
msosug mailing list
[email protected]<mailto:[email protected]>
http://mexico.purplecow.org/m/listinfo/msosug
--
Andrew Watkins * Birkbeck, University of London * Computer Science *
* UKOUG Solaris SIG Co-Chair *
http://notallmicrosoft.blogspot.com/
_______________________________________________
msosug mailing list
[email protected]<mailto:[email protected]>
http://mexico.purplecow.org/m/listinfo/msosug
_______________________________________________
msosug mailing list
[email protected]
http://mexico.purplecow.org/m/listinfo/msosug
