Solaris 10 SPARC
PRE Install of IDR
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
POST INSTALL of IDR (no logout and no reboot)
root@ccssapprfvs001[DHS-Stage1]# env X='() { (a)=>\' bash -c "echo echo vuln";
[[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable "
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
echo vuln
cat: cannot open echo
root@ccssapprfvs001[DHS-Stage1]# env x='() { :;}; echo vulnerable' bash -c
"echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Ian McGinley
Application Technology
Consumer and Digital - Online
03 8647 2433
0457 724 419
-----Original Message-----
From: Andre van Eyssen [mailto:[email protected]]
Sent: Friday, 26 September 2014 9:44 AM
To: McGinley, Ian R
Cc: Boyd Adamson; Andrew Watkins; [email protected]
Subject: Re: [msosug] bash vulnerability in Solaris?.
Ian -- you're doing a great job of keeping the list updated. For the benefit of
the subscriber base, can you update the list as patches roll in?
McGinley, Ian R wrote:
> Current info i’ve got:
>
>
>
> IDR’s are in test for
>
> Solaris 11.2 -> 11.2 SRU 2.5
>
> Solaris 11.1 -> Solaris 11.1 SRU 12.5
>
> Solaris 11.1 SRU 13.6 -> Solaris 11.1 SRU 21.4.1
>
>
>
> Solaris 10 (with dependency on 12654{6..7}-05 already in place)
>
>
>
> Solaris 9
>
>
>
> And Solaris 8 coming soon.
>
>
>
>
>
> Ian McGinley
>
> Application Technology
>
> Consumer and Digital - Online
>
> 03 8647 2433
>
> 0457 724 419
>
>
>
> *From:*Boyd Adamson [mailto:[email protected]]
> *Sent:* Thursday, 25 September 2014 6:55 PM
> *To:* Andrew Watkins
> *Cc:* [email protected]
> *Subject:* Re: [msosug] bash vulnerability in Solaris?.
>
>
>
> Will indeed be interesting to see what they do. Another aspect is that
> in the past Solaris 11 package updates have only ever been bundled
> into SRUs that also included reboot-requiring packages. If they
> continue this practice then we will be rebooting for an update that
> really only requires replacing a single binary, while our Linux
> systems are already upgraded without outage.
>
>
> On 25 Sep 2014, at 6:27 pm, Andrew Watkins <[email protected]
> <mailto:[email protected]>> wrote:
>
>
> Yes, we could all compile and install a new version or remove bash,
> but it will be interesting to see how Oracle handle it for all the
> Solaris 11 releases. Currently they only release patches for the
> latest version 11.2, so that is why I am interested in what they
> will do for this one.
>
> What happens in the Zero Day Security bug was in the Solaris 11.0
> kernel, so there is no way of you fixing it? Will they only release
> a patch for 11.2 or will they back port?
>
> Happy fixing.
>
> Andrew
>
>
>
> On 25/09/2014 09:18, Ben Couldrey wrote:
>
> We should all be running zsh anyway… (sorry Boyd, had to get in
> before you did)
>
>
>
> Ben
>
>
>
> On 25 Sep 2014, at 6:13 pm, Andrew Watkins
> <[email protected] <mailto:[email protected]>> wrote:
>
>
>
>
> It will be interesting if Oracle release a bash patch for
> all Solaris 11 versions (11, 11.1 and 11.2).
> Or will the force everyone to go to Solaris 11.2 SRU
> latest
>
> Andrew
>
> On 25/09/2014 08:21, McGinley, Ian R wrote:
>
> Log an SR asking for it.
>
>
>
> We’ve got one in the system for tracking internal change
> management purposes.
>
>
>
> In the mean time if it’s super dangerous for you, then
> pkgrm SUNWbash, or at least chmod 000 /bin/bash
>
>
>
>
>
> Ian McGinley
>
> Application Technology
>
> Consumer and Digital - Online
>
> 03 8647 2433
>
> 0457 724 419
>
>
>
> *From:*Tony Payne [mailto:[email protected]]
> *Sent:* Thursday, 25 September 2014 11:39 AM
> *To:* msosug
> *Subject:* [msosug] bash vulnerability in Solaris?.
>
>
>
> Hi All,
>
>
>
> I'm sure you've all heard about the bash vulnerability
> where: *"specially-crafted environment variables can be
> used to inject shell commands" unearthed by Stephane
> Chazelas very recently?.
>
>
>
> Many linux flavors have already released patches and
> according to the following test (see in full at:
> https://access.redhat.com/articles/1200223) Solaris 10
> at least appears to be vulnerable.
>
>
>
> =========================
>
>
> Diagnostic Steps
>
> To test if your version of Bash is vulnerable to this
> issue, run the following command:
>
> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a
> test"
>
> If the output of the above command looks as follows:
>
> vulnerable
>
> this is a test
>
> you are using a vulnerable version of Bash. The patch
> used to fix this issue ensures that no code is allowed
> after the end of a Bash function. Thus, if you run the
> above example with the patched version of Bash, you
> should get an output similar to:
>
> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a
> test"
>
> bash: warning: x: ignoring function definition attempt
>
> bash: error importing function definition for `x'
>
> this is a test
>
> =========================
>
>
>
>
>
> Does anyone know if there is, or is planned, a patch for
> Solaris' bash implementation?.
>
>
>
>
>
> *
>
> https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=70160000000e8eaAAA&;
>
> <https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=701600000
> 00e8eaAAA&>
>
>
>
> --
> Cheers,
>
> Tony.
> \|/ ____ \|/
> @~/ ,. \~@
> /_( \__/ )_\
>
> +------------------------------\__U_/---------------------------------
> -+
>
>
>
>
> _______________________________________________
>
> msosug mailing list
>
> [email protected]
> <mailto:[email protected]>
>
> http://mexico.purplecow.org/m/listinfo/msosug
>
>
>
>
> --
>
> Andrew Watkins * Birkbeck, University of London * Computer
> Science *
>
> * UKOUG Solaris SIG Co-Chair *
>
> http://notallmicrosoft.blogspot.com/
>
> _______________________________________________
> msosug mailing list
> [email protected] <mailto:[email protected]>
> http://mexico.purplecow.org/m/listinfo/msosug
>
>
>
>
>
>
> --
>
> Andrew Watkins * Birkbeck, University of London * Computer Science
> *
>
> * UKOUG Solaris SIG Co-Chair *
>
> http://notallmicrosoft.blogspot.com/
>
> _______________________________________________
> msosug mailing list
> [email protected] <mailto:[email protected]>
> http://mexico.purplecow.org/m/listinfo/msosug
>
> _______________________________________________
> msosug mailing list
> [email protected]
> http://mexico.purplecow.org/m/listinfo/msosug
--
Andre van Eyssen
mail: [email protected] (alt: [email protected])
purplecow.org: UNIX for the masses http://www2.purplecow.org
purplecow.org: PCOWpix http://pix.purplecow.org
_______________________________________________
msosug mailing list
[email protected]
http://mexico.purplecow.org/m/listinfo/msosug
