Not sure if anyone is interested. For Solaris 11+.
http://www.solarismultimedia.com/?q=node/108
May not be good practice but it'll do for the moment.
Regards
Murray
On 26/09/2014 09:43, McGinley, Ian R wrote:
> Solaris 10 SPARC
>
> PRE Install of IDR
> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> vulnerable
> this is a test
>
>
>
> POST INSTALL of IDR (no logout and no reboot)
>
> root@ccssapprfvs001[DHS-Stage1]# env X='() { (a)=>\' bash -c "echo echo
> vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable "
> bash: X: line 1: syntax error near unexpected token `='
> bash: X: line 1: `'
> bash: error importing function definition for `X'
> echo vuln
> cat: cannot open echo
> root@ccssapprfvs001[DHS-Stage1]# env x='() { :;}; echo vulnerable' bash -c
> "echo this is a test"
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
> this is a test
>
> Ian McGinley
> Application Technology
> Consumer and Digital - Online
> 03 8647 2433
> 0457 724 419
>
>
> -----Original Message-----
> From: Andre van Eyssen [mailto:[email protected]]
> Sent: Friday, 26 September 2014 9:44 AM
> To: McGinley, Ian R
> Cc: Boyd Adamson; Andrew Watkins; [email protected]
> Subject: Re: [msosug] bash vulnerability in Solaris?.
>
>
> Ian -- you're doing a great job of keeping the list updated. For the benefit
> of the subscriber base, can you update the list as patches roll in?
>
> McGinley, Ian R wrote:
>> Current info i’ve got:
>>
>>
>>
>> IDR’s are in test for
>>
>> Solaris 11.2 -> 11.2 SRU 2.5
>>
>> Solaris 11.1 -> Solaris 11.1 SRU 12.5
>>
>> Solaris 11.1 SRU 13.6 -> Solaris 11.1 SRU 21.4.1
>>
>>
>>
>> Solaris 10 (with dependency on 12654{6..7}-05 already in place)
>>
>>
>>
>> Solaris 9
>>
>>
>>
>> And Solaris 8 coming soon.
>>
>>
>>
>>
>>
>> Ian McGinley
>>
>> Application Technology
>>
>> Consumer and Digital - Online
>>
>> 03 8647 2433
>>
>> 0457 724 419
>>
>>
>>
>> *From:*Boyd Adamson [mailto:[email protected]]
>> *Sent:* Thursday, 25 September 2014 6:55 PM
>> *To:* Andrew Watkins
>> *Cc:* [email protected]
>> *Subject:* Re: [msosug] bash vulnerability in Solaris?.
>>
>>
>>
>> Will indeed be interesting to see what they do. Another aspect is that
>> in the past Solaris 11 package updates have only ever been bundled
>> into SRUs that also included reboot-requiring packages. If they
>> continue this practice then we will be rebooting for an update that
>> really only requires replacing a single binary, while our Linux
>> systems are already upgraded without outage.
>>
>>
>> On 25 Sep 2014, at 6:27 pm, Andrew Watkins <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>>
>> Yes, we could all compile and install a new version or remove bash,
>> but it will be interesting to see how Oracle handle it for all the
>> Solaris 11 releases. Currently they only release patches for the
>> latest version 11.2, so that is why I am interested in what they
>> will do for this one.
>>
>> What happens in the Zero Day Security bug was in the Solaris 11.0
>> kernel, so there is no way of you fixing it? Will they only release
>> a patch for 11.2 or will they back port?
>>
>> Happy fixing.
>>
>> Andrew
>>
>>
>>
>> On 25/09/2014 09:18, Ben Couldrey wrote:
>>
>> We should all be running zsh anyway… (sorry Boyd, had to get in
>> before you did)
>>
>>
>>
>> Ben
>>
>>
>>
>> On 25 Sep 2014, at 6:13 pm, Andrew Watkins
>> <[email protected] <mailto:[email protected]>> wrote:
>>
>>
>>
>>
>> It will be interesting if Oracle release a bash patch for
>> all Solaris 11 versions (11, 11.1 and 11.2).
>> Or will the force everyone to go to Solaris 11.2 SRU
>> latest
>>
>> Andrew
>>
>> On 25/09/2014 08:21, McGinley, Ian R wrote:
>>
>> Log an SR asking for it.
>>
>>
>>
>> We’ve got one in the system for tracking internal change
>> management purposes.
>>
>>
>>
>> In the mean time if it’s super dangerous for you, then
>> pkgrm SUNWbash, or at least chmod 000 /bin/bash
>>
>>
>>
>>
>>
>> Ian McGinley
>>
>> Application Technology
>>
>> Consumer and Digital - Online
>>
>> 03 8647 2433
>>
>> 0457 724 419
>>
>>
>>
>> *From:*Tony Payne [mailto:[email protected]]
>> *Sent:* Thursday, 25 September 2014 11:39 AM
>> *To:* msosug
>> *Subject:* [msosug] bash vulnerability in Solaris?.
>>
>>
>>
>> Hi All,
>>
>>
>>
>> I'm sure you've all heard about the bash vulnerability
>> where: *"specially-crafted environment variables can be
>> used to inject shell commands" unearthed by Stephane
>> Chazelas very recently?.
>>
>>
>>
>> Many linux flavors have already released patches and
>> according to the following test (see in full at:
>> https://access.redhat.com/articles/1200223) Solaris 10
>> at least appears to be vulnerable.
>>
>>
>>
>> =========================
>>
>>
>> Diagnostic Steps
>>
>> To test if your version of Bash is vulnerable to this
>> issue, run the following command:
>>
>> $ env x='() { :;}; echo vulnerable' bash -c "echo this is
>> a test"
>>
>> If the output of the above command looks as follows:
>>
>> vulnerable
>>
>> this is a test
>>
>> you are using a vulnerable version of Bash. The patch
>> used to fix this issue ensures that no code is allowed
>> after the end of a Bash function. Thus, if you run the
>> above example with the patched version of Bash, you
>> should get an output similar to:
>>
>> $ env x='() { :;}; echo vulnerable' bash -c "echo this is
>> a test"
>>
>> bash: warning: x: ignoring function definition attempt
>>
>> bash: error importing function definition for `x'
>>
>> this is a test
>>
>> =========================
>>
>>
>>
>>
>>
>> Does anyone know if there is, or is planned, a patch for
>> Solaris' bash implementation?.
>>
>>
>>
>>
>>
>> *
>>
>> https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=70160000000e8eaAAA&;
>>
>> <https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=701600000
>> 00e8eaAAA&>
>>
>>
>>
>> --
>> Cheers,
>>
>> Tony.
>> \|/ ____ \|/
>> @~/ ,. \~@
>> /_( \__/ )_\
>>
>> +------------------------------\__U_/---------------------------------
>> -+
>>
>>
>>
>>
>> _______________________________________________
>>
>> msosug mailing list
>>
>> [email protected]
>> <mailto:[email protected]>
>>
>> http://mexico.purplecow.org/m/listinfo/msosug
>>
>>
>>
>>
>> --
>>
>> Andrew Watkins * Birkbeck, University of London * Computer
>> Science *
>>
>> * UKOUG Solaris SIG Co-Chair *
>>
>> http://notallmicrosoft.blogspot.com/
>>
>> _______________________________________________
>> msosug mailing list
>> [email protected] <mailto:[email protected]>
>> http://mexico.purplecow.org/m/listinfo/msosug
>>
>>
>>
>>
>>
>>
>> --
>>
>> Andrew Watkins * Birkbeck, University of London * Computer Science
>> *
>>
>> * UKOUG Solaris SIG Co-Chair *
>>
>> http://notallmicrosoft.blogspot.com/
>>
>> _______________________________________________
>> msosug mailing list
>> [email protected] <mailto:[email protected]>
>> http://mexico.purplecow.org/m/listinfo/msosug
>>
>> _______________________________________________
>> msosug mailing list
>> [email protected]
>> http://mexico.purplecow.org/m/listinfo/msosug
>
> --
> Andre van Eyssen
> mail: [email protected] (alt: [email protected])
> purplecow.org: UNIX for the masses http://www2.purplecow.org
> purplecow.org: PCOWpix http://pix.purplecow.org
>
> _______________________________________________
> msosug mailing list
> [email protected]
> http://mexico.purplecow.org/m/listinfo/msosug
>
>
_______________________________________________
msosug mailing list
[email protected]
http://mexico.purplecow.org/m/listinfo/msosug
