And there'll be more updates coming, no doubt, as further related vulnerabilities have been found - see http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29
Gavin On 29 September 2014 11:01, McGinley, Ian R <[email protected]> wrote: > Two releases since the IDR was applied on Friday. > > [email protected]:~$ pkg list -af bash > NAME (PUBLISHER) VERSION > IFO > shell/bash 4.1.11-0.175.2.2.0.8.0 > --- > shell/bash 4.1.11-0.175.2.2.0.7.0 > --- > shell/bash > 4.1.11-0.175.2.0.0.42.1.1399.1 i-- > shell/bash 4.1.11-0.175.2.0.0.42.1 > --- > > > > > > > Ian McGinley > Application Technology > Consumer and Digital - Online > 03 8647 2433 > 0457 724 419 > > > -----Original Message----- > From: Tim Hogard [mailto:[email protected]] > Sent: Saturday, 27 September 2014 10:21 PM > To: Tim Hogard > Cc: [email protected] > Subject: Re: [msosug] bash vulnerability in Solaris?. > > pkg update sent a 2nd version of bash just moments ago. > > > On my t5120 toybox running 11.2: > > # cp /usr/bin/bash /tmp > # pkg update > # ls -l /usr/bin/bash /tmp/bash > -r-xr-xr-x 1 root root 1245760 Sep 27 22:14 /tmp/bash > -r-xr-xr-x 1 root bin 1245752 Sep 27 22:15 /usr/bin/bash > # md5sum /usr/bin/bash /tmp/bash > a08d7d8081e345081cb2c72c0c5f8ff7 /usr/bin/bash > fce382e2c5794e38434d152e811f17d7 /tmp/bash > > > -tim > > > On Sep 27, 2014, at 10:14 AM, Tim Hogard wrote: > > > > > On Sep 26, 2014, at 8:49 PM, Murray Blakeman wrote: > > > >> Not sure if anyone is interested. For Solaris 11+. > >> > >> http://www.solarismultimedia.com/?q=node/108 > >> > >> May not be good practice but it'll do for the moment. > >> > >> Regards > >> > >> Murray > > > > A poorly fixed bash was updated yesterday when I did a "pkg update" > > > > I say poorly fixed because the parser appears to bail out when it sees > > anything funny rather than doing the proper thing which is to parse > > correctly and process to the proper syntax error. The result is > > someone will find a way to bypass this fix. I think this fix came > > from the bash team. > > > > -tim > > > > > >> > >> On 26/09/2014 09:43, McGinley, Ian R wrote: > >>> Solaris 10 SPARC > >>> > >>> PRE Install of IDR > >>> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" > >>> vulnerable > >>> this is a test > >>> > >>> > >>> > >>> POST INSTALL of IDR (no logout and no reboot) > >>> > >>> root@ccssapprfvs001[DHS-Stage1]# env X='() { (a)=>\' bash -c "echo > >>> echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable > >>> " > >>> bash: X: line 1: syntax error near unexpected token `=' > >>> bash: X: line 1: `' > >>> bash: error importing function definition for `X' > >>> echo vuln > >>> cat: cannot open echo > >>> root@ccssapprfvs001[DHS-Stage1]# env x='() { :;}; echo vulnerable' > >>> bash -c "echo this is a test" > >>> bash: warning: x: ignoring function definition attempt > >>> bash: error importing function definition for `x' > >>> this is a test > >>> > >>> Ian McGinley > >>> Application Technology > >>> Consumer and Digital - Online > >>> 03 8647 2433 > >>> 0457 724 419 > >>> > >>> > >>> -----Original Message----- > >>> From: Andre van Eyssen [mailto:[email protected]] > >>> Sent: Friday, 26 September 2014 9:44 AM > >>> To: McGinley, Ian R > >>> Cc: Boyd Adamson; Andrew Watkins; [email protected] > >>> Subject: Re: [msosug] bash vulnerability in Solaris?. > >>> > >>> > >>> Ian -- you're doing a great job of keeping the list updated. For the > >>> benefit of the subscriber base, can you update the list as patches > >>> roll in? > >>> > >>> McGinley, Ian R wrote: > >>>> Current info i've got: > >>>> > >>>> > >>>> > >>>> IDR's are in test for > >>>> > >>>> Solaris 11.2 -> 11.2 SRU 2.5 > >>>> > >>>> Solaris 11.1 -> Solaris 11.1 SRU 12.5 > >>>> > >>>> Solaris 11.1 SRU 13.6 -> Solaris 11.1 SRU 21.4.1 > >>>> > >>>> > >>>> > >>>> Solaris 10 (with dependency on 12654{6..7}-05 already in place) > >>>> > >>>> > >>>> > >>>> Solaris 9 > >>>> > >>>> > >>>> > >>>> And Solaris 8 coming soon. > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> Ian McGinley > >>>> > >>>> Application Technology > >>>> > >>>> Consumer and Digital - Online > >>>> > >>>> 03 8647 2433 > >>>> > >>>> 0457 724 419 > >>>> > >>>> > >>>> > >>>> *From:*Boyd Adamson [mailto:[email protected]] > >>>> *Sent:* Thursday, 25 September 2014 6:55 PM > >>>> *To:* Andrew Watkins > >>>> *Cc:* [email protected] > >>>> *Subject:* Re: [msosug] bash vulnerability in Solaris?. > >>>> > >>>> > >>>> > >>>> Will indeed be interesting to see what they do. Another aspect is > >>>> that in the past Solaris 11 package updates have only ever been > >>>> bundled into SRUs that also included reboot-requiring packages. If > >>>> they continue this practice then we will be rebooting for an update > >>>> that really only requires replacing a single binary, while our > >>>> Linux systems are already upgraded without outage. > >>>> > >>>> > >>>> On 25 Sep 2014, at 6:27 pm, Andrew Watkins <[email protected] > >>>> <mailto:[email protected]>> wrote: > >>>> > >>>> > >>>> Yes, we could all compile and install a new version or remove > >>>> bash, > >>>> but it will be interesting to see how Oracle handle it for all > >>>> the > >>>> Solaris 11 releases. Currently they only release patches for the > >>>> latest version 11.2, so that is why I am interested in what they > >>>> will do for this one. > >>>> > >>>> What happens in the Zero Day Security bug was in the Solaris > >>>> 11.0 > >>>> kernel, so there is no way of you fixing it? Will they only > >>>> release > >>>> a patch for 11.2 or will they back port? > >>>> > >>>> Happy fixing. > >>>> > >>>> Andrew > >>>> > >>>> > >>>> > >>>> On 25/09/2014 09:18, Ben Couldrey wrote: > >>>> > >>>> We should all be running zsh anyway... (sorry Boyd, had to get > >>>> in > >>>> before you did) > >>>> > >>>> > >>>> > >>>> Ben > >>>> > >>>> > >>>> > >>>> On 25 Sep 2014, at 6:13 pm, Andrew Watkins > >>>> <[email protected] <mailto:[email protected]>> > >>>> wrote: > >>>> > >>>> > >>>> > >>>> > >>>> It will be interesting if Oracle release a bash patch > >>>> for > >>>> all Solaris 11 versions (11, 11.1 and 11.2). > >>>> Or will the force everyone to go to Solaris 11.2 SRU > >>>> latest > >>>> > >>>> Andrew > >>>> > >>>> On 25/09/2014 08:21, McGinley, Ian R wrote: > >>>> > >>>> Log an SR asking for it. > >>>> > >>>> > >>>> > >>>> We've got one in the system for tracking internal > >>>> change > >>>> management purposes. > >>>> > >>>> > >>>> > >>>> In the mean time if it's super dangerous for you, > >>>> then > >>>> pkgrm SUNWbash, or at least chmod 000 /bin/bash > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> Ian McGinley > >>>> > >>>> Application Technology > >>>> > >>>> Consumer and Digital - Online > >>>> > >>>> 03 8647 2433 > >>>> > >>>> 0457 724 419 > >>>> > >>>> > >>>> > >>>> *From:*Tony Payne [mailto:[email protected]] > >>>> *Sent:* Thursday, 25 September 2014 11:39 AM > >>>> *To:* msosug > >>>> *Subject:* [msosug] bash vulnerability in Solaris?. > >>>> > >>>> > >>>> > >>>> Hi All, > >>>> > >>>> > >>>> > >>>> I'm sure you've all heard about the bash > >>>> vulnerability > >>>> where: *"specially-crafted environment variables can > >>>> be > >>>> used to inject shell commands" unearthed by Stephane > >>>> Chazelas very recently?. > >>>> > >>>> > >>>> > >>>> Many linux flavors have already released patches and > >>>> according to the following test (see in full at: > >>>> https://access.redhat.com/articles/1200223) > >>>> Solaris 10 > >>>> at least appears to be vulnerable. > >>>> > >>>> > >>>> > >>>> ========================= > >>>> > >>>> > >>>> Diagnostic Steps > >>>> > >>>> To test if your version of Bash is vulnerable to > >>>> this > >>>> issue, run the following command: > >>>> > >>>> $ env x='() { :;}; echo vulnerable' bash -c "echo > >>>> this is a test" > >>>> > >>>> If the output of the above command looks as follows: > >>>> > >>>> vulnerable > >>>> > >>>> this is a test > >>>> > >>>> you are using a vulnerable version of Bash. The > >>>> patch > >>>> used to fix this issue ensures that no code is > >>>> allowed > >>>> after the end of a Bash function. Thus, if you run > >>>> the > >>>> above example with the patched version of Bash, you > >>>> should get an output similar to: > >>>> > >>>> $ env x='() { :;}; echo vulnerable' bash -c "echo > >>>> this is a test" > >>>> > >>>> bash: warning: x: ignoring function definition > >>>> attempt > >>>> > >>>> bash: error importing function definition for `x' > >>>> > >>>> this is a test > >>>> > >>>> ========================= > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> Does anyone know if there is, or is planned, a patch > >>>> for > >>>> Solaris' bash implementation?. > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> * > >>>> > >>>> https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=7016000 > >>>> 0000e8eaAAA& > >>>> > >>>> <https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=701600 > >>>> 000 > >>>> 00e8eaAAA&> > >>>> > >>>> > >>>> > >>>> -- > >>>> Cheers, > >>>> > >>>> Tony. > >>>> \|/ ____ \|/ > >>>> @~/ ,. \~@ > >>>> /_( \__/ )_\ > >>>> > >>>> +------------------------------ > >>>> \__U_/--------------------------------- > >>>> -+ > >>>> > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> > >>>> msosug mailing list > >>>> > >>>> [email protected] > >>>> <mailto:[email protected]> > >>>> > >>>> http://mexico.purplecow.org/m/listinfo/msosug > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> > >>>> Andrew Watkins * Birkbeck, University of London * > >>>> Computer Science * > >>>> > >>>> * UKOUG Solaris SIG Co-Chair * > >>>> > >>>> http://notallmicrosoft.blogspot.com/ > >>>> > >>>> _______________________________________________ > >>>> msosug mailing list > >>>> [email protected] > >>>> <mailto:[email protected] > >>>>> > >>>> http://mexico.purplecow.org/m/listinfo/msosug > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> > >>>> Andrew Watkins * Birkbeck, University of London * Computer > >>>> Science > >>>> * > >>>> > >>>> * UKOUG Solaris SIG Co-Chair * > >>>> > >>>> http://notallmicrosoft.blogspot.com/ > >>>> > >>>> _______________________________________________ > >>>> msosug mailing list > >>>> [email protected] <mailto:[email protected]> > >>>> http://mexico.purplecow.org/m/listinfo/msosug > >>>> > >>>> _______________________________________________ > >>>> msosug mailing list > >>>> [email protected] > >>>> http://mexico.purplecow.org/m/listinfo/msosug > >>> > >>> -- > >>> Andre van Eyssen > >>> mail: [email protected] (alt: [email protected]) > >>> purplecow.org: UNIX for the masses http://www2.purplecow.org > >>> purplecow.org: PCOWpix http://pix.purplecow.org > >>> > >>> _______________________________________________ > >>> msosug mailing list > >>> [email protected] > >>> http://mexico.purplecow.org/m/listinfo/msosug > >>> > >>> > >> > >> > >> _______________________________________________ > >> msosug mailing list > >> [email protected] > >> http://mexico.purplecow.org/m/listinfo/msosug > >> > > > > > > _______________________________________________ > > msosug mailing list > > [email protected] > > http://mexico.purplecow.org/m/listinfo/msosug > > > > > _______________________________________________ > msosug mailing list > [email protected] > http://mexico.purplecow.org/m/listinfo/msosug > > _______________________________________________ > msosug mailing list > [email protected] > http://mexico.purplecow.org/m/listinfo/msosug >
_______________________________________________ msosug mailing list [email protected] http://mexico.purplecow.org/m/listinfo/msosug
