Re: [Tails-dev] Bash bug
On 9/24/14, anonym wrote: > 25/09/14 01:02, Jurre van Bergen wrote: >> >> Dear Tails users, >> >> As you might have heard there is a Bash vulnerability, I have created a >> temporary countermeasure write-up below. > > Out of curiosity, have you (or any one else for that matter) come up > with a relevant exploit in Tails? I suppose I'm talking mostly about > actively supported (client-oriented) use cases -- it's obvious that any > one running a custom setup with a hidden service sshd with AcceptEnv, > for instance, is affected. > > By the way, this will be fixed in the Tails 1.1.2 emergency release [1], > scheduled to be released later today (Thursday, CEST). > > Cheers! > > [1] The reason for the 1.1.2 release is not the bash bug, but the > Firefox bug: > https://www.mozilla.org/security/announce/2014/mfsa2014-73.html By my count we'd want to ship an update to Firefox (libnss), bash (dhclient? what else?) and apt (the http parser buffer overflow). Any other critical bugs that were disclosed in the last few hours? :) All the best, Jacob ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Bash bug
Seems the Debian patch wasn't good enough, Tavis Ormandy wrote a bypass. (https://twitter.com/taviso/status/514887394294652929) Act with caution! Jurre On 09/25/2014 01:02 AM, Jurre van Bergen wrote: > > Dear Tails users, > > As you might have heard there is a Bash vulnerability, I have created a > temporary countermeasure write-up below. > > Temporary countermeasure > > > Debian has provided an updated version, we recommend you to upgrade to > the latest version of Bash and this is how you do it: > > This is a less safe way to do it, make sure you use a trusted network > and please note this change isn't persistent. > > 1: Set up an administrative password[1] when you boot Tails > 2: Connect to the Internet (I recommend using a trusted network) > 3: Run the following in a "root terminal": apt-get update && apt-get > install bash > > The more experienced user way: > > 1: Set up an administrative password[1] when you boot Tails > 2 Download the wheezy package through a separate computer and place it > on the persistent volume to install before you connect to the Internet > and verify checksums :) > 3 If you have the `deb` run in a "root terminal": dpkg -i /path/bash.deb > 4: Connect to the internet > > [1] > https://tails.boum.org/doc/first_steps/startup_options/administration_password/index.en.html > > > ___ > Tails-dev mailing list > Tails-dev@boum.org > https://mailman.boum.org/listinfo/tails-dev > To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Bash bug
25/09/14 01:02, Jurre van Bergen wrote: > > Dear Tails users, > > As you might have heard there is a Bash vulnerability, I have created a > temporary countermeasure write-up below. Out of curiosity, have you (or any one else for that matter) come up with a relevant exploit in Tails? I suppose I'm talking mostly about actively supported (client-oriented) use cases -- it's obvious that any one running a custom setup with a hidden service sshd with AcceptEnv, for instance, is affected. By the way, this will be fixed in the Tails 1.1.2 emergency release [1], scheduled to be released later today (Thursday, CEST). Cheers! [1] The reason for the 1.1.2 release is not the bash bug, but the Firefox bug: https://www.mozilla.org/security/announce/2014/mfsa2014-73.html ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Bash bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Tails users, As you might have heard there is a Bash vulnerability, I have created a temporary countermeasure write-up below. Temporary countermeasure Debian has provided an updated version, we recommend you to upgrade to the latest version of Bash and this is how you do it: This is a less safe way to do it, make sure you use a trusted network and please note this change isn't persistent. 1: Set up an administrative password[1] when you boot Tails 2: Connect to the Internet (I recommend using a trusted network) 3: Run the following in a "root terminal": apt-get update && apt-get install bash The more experienced user way: 1: Set up an administrative password[1] when you boot Tails 2 Download the wheezy package through a separate computer and place it on the persistent volume to install before you connect to the Internet and verify checksums :) 3 If you have the `deb` run in a "root terminal": dpkg -i /path/bash.deb 4: Connect to the internet [1] https://tails.boum.org/doc/first_steps/startup_options/administration_password/index.en.html -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJUI017AAoJELc5KWfqgB0Cn1IIALCob3ymEn7sWibryZ4NWF5B pDhBEp8rlGYGdIFtiOl50ywdgS1AUPlpo7+cSj/rUpEi53K1AiIt7Aw+ZBcQohW0 jI1Oluwnckc6ZVLZblLYaes6WfINC5sp6qvFknWgla8zd5kKU5VMWVHb/9JS0KL7 yMibOVDx1ib4rxSck+z7KfbTE/CF2+JCCABI7p7pmXw134BDQesPJa76ZpNwK8z5 YV0KJ+35od7pgjTe+2ihjuqdPWlu/tHl01GJmwAA9yChwUDwiE6JMMkSSVJNwaBk j1yyA91nBF1KUk9KJReAarVp3aWFgusWGjMSPj1ILfX45IqSWk4gR+HxmZOfGpE= =/JT9 -END PGP SIGNATURE- ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.