Re: [OT Security PSA] Shellshock: Update your bash, now!
On Sunday, 5 October 2014 at 21:53:08 UTC, eles wrote: On Sunday, 5 October 2014 at 21:13:01 UTC, Kagamin wrote: On Friday, 3 October 2014 at 11:25:59 UTC, eles wrote: it) and a new-comer on the scene is Tranglu, that I just *Tanglu http://www.tanglu.org/en/
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/2/14 3:42 AM, Kagamin wrote: On Thursday, 2 October 2014 at 07:14:35 UTC, Iain Buclaw via Digitalmars-d-announce wrote: Doesn't Linux Mint provide an upgrade facility for you? No idea. I use Linux Mint, I believe I upgraded once *. I don't think it was complex, just an upgrade through the standard UI for updates. * Note: I have a bad memory when it comes to things like this :) -Steve
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Monday, 6 October 2014 at 15:06:04 UTC, Steven Schveighoffer wrote: On 10/2/14 3:42 AM, Kagamin wrote: On Thursday, 2 October 2014 at 07:14:35 UTC, Iain Buclaw via Digitalmars-d-announce wrote: Doesn't Linux Mint provide an upgrade facility for you? No idea. I use Linux Mint, I believe I upgraded once *. I don't think it was complex, just an upgrade through the standard UI for updates. * Note: I have a bad memory when it comes to things like this :) -Steve Mint always supported upgrades between LTS releases. There were no upgrades between non-LTS releases, which were basically just bit-more-stable betas. That's changed now as posted above, Mint 14.04 to 15.10 (and possibly longer) will be seamlessly upgradable release to release as Mint gradually diverges away from its Ubuntu base. 16.04 may be a reset, or they may continue to diverge further, or they may move fully to Debian; but they'll probably still have an upgrade path as it will be an LTS.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/6/14 12:10 PM, Kiith-Sa wrote: On Monday, 6 October 2014 at 15:06:04 UTC, Steven Schveighoffer wrote: On 10/2/14 3:42 AM, Kagamin wrote: On Thursday, 2 October 2014 at 07:14:35 UTC, Iain Buclaw via Digitalmars-d-announce wrote: Doesn't Linux Mint provide an upgrade facility for you? No idea. I use Linux Mint, I believe I upgraded once *. I don't think it was complex, just an upgrade through the standard UI for updates. * Note: I have a bad memory when it comes to things like this :) Mint always supported upgrades between LTS releases. There were no upgrades between non-LTS releases, which were basically just bit-more-stable betas. That's changed now as posted above, Mint 14.04 to 15.10 (and possibly longer) will be seamlessly upgradable release to release as Mint gradually diverges away from its Ubuntu base. 16.04 may be a reset, or they may continue to diverge further, or they may move fully to Debian; but they'll probably still have an upgrade path as it will be an LTS. Hm.. I think I had Linux Mint 12, and I upgraded to 13 (not the LTS version). Maybe it wasn't so seamless, as I said I have a bad memory. -Steve
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Thursday, 2 October 2014 at 11:12:12 UTC, Kagamin wrote: On Thursday, 2 October 2014 at 07:43:54 UTC, eles wrote: update-manager -d It works. Does it perform package upgrade? The comments are rather scary: --- Hi, I have installed Linux mint 15 with Mint4Win as Dual boot with Windows 7. Then upgraded it to Mint 16 and it was running fine. But when I upgrade to Mint 17 (Qiana), after restarting the partition loop0 (or loopback0 or something like that) fails to load. It shows an error like, Press I to ignore, S to skip or M for manual recovery. Hi, A bit of news here, as just updated my knoledge about Linux Mint Linux Mint Debian Edition. In short, from this discussion and its comments: http://segfault.linuxmint.com/2014/08/upcoming-lmde-2-to-be-named-betsy/ Linux Mint Debian abandons its (semi-)rolling model and will basically become just a kind of Ubuntu, but based on Debian Stable (Ubuntu, AFAIK, is based on Debian Unstable). The will require full-upgrades every 2 years, but the upgrades shall be smooth (no reinstall required). For two years, you will not need to do such upgrade, just the basic security upgrades and some updates (mainly browser and email clients). Linux Mint, starting from version 17, marks a departure from previous releases (this is why you migh have encountered difficulties in upgrading) by keeping the same code base (Ubuntu 14.04 LTS) for the next 5 years. So, during this time, it will basically be a rolling-distribution, as some software will get updated just as regular (security fixes etc.) happens. Probably, after those 5 years, they will change the code base to the next Ubuntu LTS, which will start a new 5-years long upgrade. One piece of advice: Debian Testing might seem (by the name) more secure than Debian Unstable. The truth is that the latter is more up-to-date and receives security fixes first (they are entering the Debian Unstable first, then they are pre-validated before going in Debian Testing). More, Debian Unstable is not as unstable as its name might tell but, yes, it requires you messing sometimes (read: maybe once every three months) with the apt-get and vim. But is not such a big deal.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/01/2014 04:50 PM, Nick Sabalausky wrote: On 10/01/2014 01:38 PM, Iain Buclaw via Digitalmars-d-announce wrote: One nice thing about Ubuntu is that they even give you access to future kernel versions through what they call HWE. In short, I can run a 14.04 LTS kernel on a 12.04 server, so that I'm able to use modern hardware and take advantage of software that uses features of Linux that are actively worked on (like LXC) on an older software stack. Is there anything similar in Debian? Debian Backports: backports.debian.org -- Paul O'Neil Github / IRC: todayman
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Friday, 3 October 2014 at 11:25:59 UTC, eles wrote: Debian and Debian-based asks you to confirm file overwrite (usually, the diff is displayed too). Isn't it the same package manager? It should be able to do the same on mint. Or may be fstab can be copied somewhere and then back at some point? On Sunday, 5 October 2014 at 08:54:46 UTC, eles wrote: Linux Mint, starting from version 17, marks a departure from previous releases (this is why you migh have encountered difficulties in upgrading) by keeping the same code base (Ubuntu 14.04 LTS) for the next 5 years. So, during this time, it will basically be a rolling-distribution, as some software will get updated just as regular (security fixes etc.) happens. Truly rolling or only security updates? Well, I'm ok with a fresh install. But can it run under the target linux itself? Or rather what to run from the disk? Since mint4win installation is a virtual disk, I'm not sure the installer will find it gracefully, they're usually partition-oriented. Not sure if this eliminates problem with fstab though.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Sunday, 5 October 2014 at 21:13:01 UTC, Kagamin wrote: On Friday, 3 October 2014 at 11:25:59 UTC, eles wrote: Debian and Debian-based asks you to confirm file overwrite (usually, the diff is displayed too). Isn't it the same package manager? It should be able to do the same on mint. Or may be fstab can be copied somewhere and then back at some point? It should be the same, but I am never sure about the homegrown patches that the Mint team applies (for example, they applied that patch that presents update packs). Truly rolling or only security updates? Actually, a kind of releases, every 6 months, but that only comes down to updating the Mint plug-ins and a selected handful of programs (probably, browser, update manager and e-mail clients). There is no much difference wrt a rolling release, because the code base does not change. Basically, the releases will be nothing else that some glorified update packs, so basically the same that LMDE does today. Call it a semi-rolling. At least this is my understanding of it. Well, I'm ok with a fresh install. My advice is to wait a bit for the new LMDE to get out. Installing LMDE now as the current model approaches its end of life is not the best, since mostly sure, you'll have to do it again since they change the code base (from testing to stable). But can it run under the target linux itself? Or rather what to run from the disk? Since mint4win installation is a virtual disk, I'm not sure the installer will find it gracefully, they're usually partition-oriented. Not sure if this eliminates problem with fstab though. Sorry, I have no direct experience with Mint directly, I extrapolate my understanding of other distribution to it, from the comments. Could not answer to those questions as they require first-hand experience. Anyway, if you feel a bit adventurous, the current LMDE model is somewhat continued by a distribution called SolidXK (google it) and a new-comer on the scene is Tranglu, that I just installed in a VM and which looks very promising (a mix of Debian Stable, Testing and Unstable, release-style, but hopefully with undisruptive upgrades).
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Thursday, 2 October 2014 at 12:44:08 UTC, eles wrote: I doubt. At least, not easily. However, installing LMDE should be a one-time process (it's a rolling distribution). Do rolling distributions guarantee to not overwrite fstab? How mint package update differs from a rolling distro package update?
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Friday, 3 October 2014 at 07:16:14 UTC, Kagamin wrote: On Thursday, 2 October 2014 at 12:44:08 UTC, eles wrote: I doubt. At least, not easily. However, installing LMDE should be a one-time process (it's a rolling distribution). Do rolling distributions guarantee to not overwrite fstab? How mint package update differs from a rolling distro package update? Arch Linux warns you about the conflict and installs the new files as e.g. /etc/fstab.pacnew. David
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Friday, 3 October 2014 at 07:16:14 UTC, Kagamin wrote: On Thursday, 2 October 2014 at 12:44:08 UTC, eles wrote: I doubt. At least, not easily. However, installing LMDE should be a one-time process (it's a rolling distribution). Do rolling distributions guarantee to not overwrite fstab? How mint package update differs from a rolling distro package update? Debian and Debian-based asks you to confirm file overwrite (usually, the diff is displayed too).
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Friday, 3 October 2014 at 11:31:07 UTC, eles wrote: On Friday, 3 October 2014 at 07:16:14 UTC, Kagamin wrote: On Thursday, 2 October 2014 at 12:44:08 UTC, eles wrote: I doubt. At least, not easily. However, installing LMDE should be a one-time process (it's a rolling distribution). Do rolling distributions guarantee to not overwrite fstab? How mint package update differs from a rolling distro package update? Mint is release-based. All packages are updated in a large group that is called a release, unlike rolling distributions, where packages are updated package-by-package, sometimes even on daily basis. The former attempt stability (because all packages are tested together, along with their interactions), while the latter attempt cutting-edge software (you update software as it gets produced). No matter the distribution, security packages usually comes in in rolling-manner (because very important). Unlike other release-style distribution, Mint simply does not support hot-upgrades, they recommend full reinstall (back-up your files, clean harddisk, install, restore files). Anyway, the fact that they do not support it does not mean is not possible. It's just that they disclaim responsibility and they do not want to invest support into that. So, it is possible, but you must be a bit of geek. And you cannot request their official helps/guides for that. Think of it as undocumented feature from their POV. I recently upgraded a mint install by changing any and all references to repositories to the corresponding ones for the new release and then running apt-get dist-upgrade It worked, but I wouldn't recommend it. Clean reinstalls or rolling release are better approaches to the problem of updating an OS. Ubuntu, Windows and OS X have all subtlely or not-so-subtley let me down with automated upgrades at one point or another.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Friday, 3 October 2014 at 11:31:07 UTC, eles wrote: The former attempt stability (because all packages are tested together, along with their interactions), while the latter attempt cutting-edge software (you update software as it gets produced). This generally true but not entirely true. Rolling release model also implies testing of package inter-operation but any guarantees only apply to versions that match specific repository snapshot - most problems arise from trying to update some of packages but not all. At least this is the case for Arch.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/3/2014 3:25 AM, David Nadlinger via Digitalmars-d-announce wrote: On Friday, 3 October 2014 at 07:16:14 UTC, Kagamin wrote: On Thursday, 2 October 2014 at 12:44:08 UTC, eles wrote: I doubt. At least, not easily. However, installing LMDE should be a one-time process (it's a rolling distribution). Do rolling distributions guarantee to not overwrite fstab? How mint package update differs from a rolling distro package update? Arch Linux warns you about the conflict and installs the new files as e.g. /etc/fstab.pacnew. David I've used at various points in time Debian, Ubuntu, Redhat, Centos, and amazon linux. At no point has any of them ever lost my fstab file, or any other critical file for that matter. My oldest system at this point is about 8 years old and has been ubuntu since it was born and still is. It's current and has rolled through every intervening version quite easily, which is a good thing since it's a vm off in a data center. It's not hard to maintain systems, but they do require maintenance. I wouldn't really expect to neglect a system for many years and be able to rapidly jump it all the way to current. About once a year I go on a big maintenance spree, independent of more frequent minor maintenance. My 2 cents, Brad
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Friday, 3 October 2014 at 17:20:11 UTC, Brad Roberts via Digitalmars-d-announce wrote: On 10/3/2014 3:25 AM, David Nadlinger via Digitalmars-d-announce wrote: On Friday, 3 October 2014 at 07:16:14 UTC, Kagamin wrote: On Thursday, 2 October 2014 at 12:44:08 UTC, eles wrote: My oldest system at this point is about 8 years old and has been ubuntu since it was born and still is. It's current and has rolled through every intervening version quite easily Yes. Ubuntu was not perfectly upgrading at its beginnings, but with years that passed they became better and better at this.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 20:03:11 UTC, Dicebot wrote: This a very unpleasant experience you get compared to sticking to LTS or up to date distro Erm, upgrading to the latest version is exactly what I want, old version is of no interest to me. I read, one can reorient aptitude to latest repository and update everything, but I was told it won't work. So the question is how to update kernel and everything else?
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 2 October 2014 08:00, Kagamin via Digitalmars-d-announce digitalmars-d-announce@puremagic.com wrote: On Wednesday, 1 October 2014 at 20:03:11 UTC, Dicebot wrote: This a very unpleasant experience you get compared to sticking to LTS or up to date distro Erm, upgrading to the latest version is exactly what I want, old version is of no interest to me. I read, one can reorient aptitude to latest repository and update everything, but I was told it won't work. Doesn't Linux Mint provide an upgrade facility for you? Looks to me that you have gone with the wrong distro of choice. ;) Upgrading by using apt is doable, but from what you've demonstrated about your knowledge, I wouldn't recommend it to you. So the question is how to update kernel and everything else? http://community.linuxmint.com/tutorial/view/2 If your /home is on a separate partition, just download the latest LTS iso and do a fresh install. Only thing to note is that when it comes to partitioning, you must absolutely not destroy your /home unless you want your personal files gone. :) Iain.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Thursday, 2 October 2014 at 11:12:12 UTC, Kagamin wrote: On Thursday, 2 October 2014 at 07:43:54 UTC, eles wrote: update-manager -d It works. Does it perform package upgrade? The comments are rather scary: --- Hi, I have installed Linux mint 15 with Mint4Win as Dual boot with Windows 7. Then upgraded it to Mint 16 and it was running fine. But when I upgrade to Mint 17 (Qiana), after restarting the partition loop0 (or loopback0 or something like that) fails to load. It shows an error like, Press I to ignore, S to skip or M for manual recovery. Please tell me a way to fix this. Or let me know if it is not possible. --- Looks like my case. Are fstab and mtab replaced during upgrade? You should drop Mint, they have a quite disruptive policy, but they are kinda unique in the Linux world. Better choice in the Mint world would be LMDE: http://www.linuxmint.com/download_lmde.php You simply made the wrong choice in the beginning.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Thursday, 2 October 2014 at 11:40:31 UTC, eles wrote: You simply made the wrong choice in the beginning. Well, it looked popular and easy. Can I upgrade my mint to lmde?
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Thursday, 2 October 2014 at 12:06:16 UTC, Kagamin wrote: On Thursday, 2 October 2014 at 11:40:31 UTC, eles wrote: Well, it looked popular and easy. Sorry. It's just that everything that glitters... Can I upgrade my mint to lmde? I doubt. At least, not easily. However, installing LMDE should be a one-time process (it's a rolling distribution). Alternatives are: Arch Linux, Debian Testing and a couple of others. Anyway, most of the release-based distribution (Mint is a special case) support upgrading, even if not rolling distributions (for example, Ubuntu). I have not much experience with Mint (none, in fact), but even in the case of a full and disruptive upgrade they should preserve your settings and documents. However, I disclaim responsibility as I don't know how it works.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 1 October 2014 06:09, Nick Sabalausky via Digitalmars-d-announce digitalmars-d-announce@puremagic.com wrote: Don't mean to be alarmist, but I'm posting this in case anyone else is like me and hasn't been paying attention since this news broke (AIUI) about a week ago. Apparently bash has it's own heartbleed now, dubbed shellshock. Warm fuzzy flashbacks of TMNT: The Arcade Game aside, this appears to be pretty nasty *and* it affects pretty much every version of bash ever released. And of course bash exists on practically everything, so...pretty big deal. Security sites, blogs-o'-spheres, cloudosphere, etc are all over this one. (Don't know how I managed to miss it until now.) Patches have been issued (and likely more to come from what I gather), so: Go update bash on all your computers and server, NOW. No, don't hit reply, do it now. Personally, I'd keep updating fairly frequently until the whole matter settles down a bit. At work we do two things: 1) Add our main email to the Debian Security ML, so we tend to know about any vulnerabilities that need patching at least 24 hours before it hits the media. 2) Use an automated configuration management system, such as Puppet. By the time we read the initial email, the fix had already been applied to all servers without manual intervention. ;) Of course, merely updating your packages is not enough to keep you safe. You must also consider which front-end facing applications are using the now patched software, and restart it. grep libvulnerable /proc/*/maps | grep deleted Iain
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/1/14 1:09 AM, Nick Sabalausky wrote: Patches have been issued (and likely more to come from what I gather), so: FWIW, MacOS X now has an update for bash that fixes the bug, apparently came out last night. http://support.apple.com/kb/HT6495 -Steve
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote: Other OSes/distros are likely equally easy. Please, reply with examples to help ensure other people on the same OS/distro as you have no excuse not to update! I find it ironic that it's another big global security hole about which Windows users don't even have to be concerned about.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 13:41:43 UTC, JN wrote: On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote: I find it ironic that it's another big global security hole about which Windows users don't even have to be concerned about. That's of course very true, since Windows runs on no serious servers.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 13:58:25 UTC, eles wrote: On Wednesday, 1 October 2014 at 13:41:43 UTC, JN wrote: On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote: I find it ironic that it's another big global security hole about which Windows users don't even have to be concerned about. That's of course very true, since Windows runs on no serious servers. You would be surprised how some Fortune 500 companies are doing their serious work in 100% Windows servers. Sadly I need to comply with NDAs. -- Paulo
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 14:29:16 UTC, Paulo Pinto wrote: You would be surprised how some Fortune 500 companies are doing their serious work in 100% Windows servers. Sadly I need to comply with NDAs. Isn't NASDAQ enough?
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote: Apparently bash has it's own heartbleed now, dubbed shellshock. Does it affect dash? Also, how does one update software on linux? Last I checked, when new version is out, repository of the previous version becomes utterly abandoned. A pity, on windows one can roll new software versions as long as they are maintained.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 14:44:06 UTC, Kagamin wrote: Also, how does one update software on linux? Last I checked, when new version is out, repository of the previous version becomes utterly abandoned. A pity, on windows one can roll new software versions as long as they are maintained. This claim is so strange I can't even understand what it is about. Which repositories get abandoned?
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 14:44:06 UTC, Kagamin wrote: On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote: Does it affect dash? No. It is a bashism, ie an extension specific to Bash. Busybox users are not concerned neither. A pity, on windows one can roll new software versions as long as they are maintained. It depends on the software (many abandoned Windows XP while still officially supported) and you shall not ask about the quality of this software neither. Is not the same effort that goes into legacy versions that it goes into newer versions. BTW updating software on Windows is the PITAst of all ever (except maybe some medieval tortures). You have to install software manually, software after software. The first thing that I love in Linux is the centralized update.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/1/14 12:57 PM, Kagamin wrote: On Wednesday, 1 October 2014 at 15:48:58 UTC, Dicebot wrote: This claim is so strange I can't even understand what it is about. Which repositories get abandoned? Repositories of the not latest version of the OS. Because only latest version receives development. That is, if the OS doesn't have rolling updates. https://wiki.ubuntu.com/LTS -Steve
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 16:57:07 UTC, Kagamin wrote: On Wednesday, 1 October 2014 at 15:45:26 UTC, eles wrote: Repositories of the not latest version of the OS. Because only latest version receives development. That is, if the OS doesn't have rolling updates. What is the difference wrt Microsoft phasing out a Windows version? Except tha upgrading from Windows to Windows is such a PITA that even the Brazen Bull seems to be just a nice couch.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 1 October 2014 18:12, Steven Schveighoffer via Digitalmars-d-announce digitalmars-d-announce@puremagic.com wrote: On 10/1/14 12:57 PM, Kagamin wrote: On Wednesday, 1 October 2014 at 15:48:58 UTC, Dicebot wrote: This claim is so strange I can't even understand what it is about. Which repositories get abandoned? Repositories of the not latest version of the OS. Because only latest version receives development. That is, if the OS doesn't have rolling updates. https://wiki.ubuntu.com/LTS One nice thing about Ubuntu is that they even give you access to future kernel versions through what they call HWE. In short, I can run a 14.04 LTS kernel on a 12.04 server, so that I'm able to use modern hardware and take advantage of software that uses features of Linux that are actively worked on (like LXC) on an older software stack. Iain.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 16:57:07 UTC, Kagamin wrote: On Wednesday, 1 October 2014 at 15:45:26 UTC, eles wrote: The first thing that I love in Linux is the centralized update. The downside is it's taken down centrally too, while distributed windows software continues to work independently of each other. On Wednesday, 1 October 2014 at 15:48:58 UTC, Dicebot wrote: This claim is so strange I can't even understand what it is about. Which repositories get abandoned? Repositories of the not latest version of the OS. Because only latest version receives development. That is, if the OS doesn't have rolling updates. This is simply telling lies, sorry. All distros that don't have rolling release model provide LTS versions that get all important updates (including security updates, of course) for years. For example Ubuntu LTS lasts for 4 years where one can count on fast updates. And even after that period your distro does not disappear magically, you are simply force to install necessary updates manually (as opposed to 1 click / command update from repo), basically getting you back to Windows _default_ state of things.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 18:42:41 UTC, Kagamin wrote: A have linux mint 12 installation with mint4win (wubi), on linux mint forums I was told, that updating from the latest repository won't work. I would be grateful, if you explain, how to upgrade it to the latest version. Yeah, theoretically it should be able to just overwrite files on disk without paying much attention to disk nature. Linux Mint 12 is not LTS release (and _insanely_ old). You are supposed to do regular full upgrades with non-LTS releases, this is why bash update was not propagated to its repositories. However you can simply go to http://packages.linuxmint.com/search.php?keyword=bashrelease=anysection=any and download .deb package of more recent release from there to install manually. It may work or may not depending on how compatible dependencies are. This a very unpleasant experience you get compared to sticking to LTS or up to date distro but pretty much on the same level as one you normally have in the Windows all the time. And with little time investments it is miles and miles ahead any possible Windows experience you can get even theoretically (speaking exclusively about upgrade/update process here).
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/01/2014 03:19 PM, Brad Roberts via Digitalmars-d-announce wrote: On 10/1/2014 6:41 AM, JN via Digitalmars-d-announce wrote: On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote: Other OSes/distros are likely equally easy. Please, reply with examples to help ensure other people on the same OS/distro as you have no excuse not to update! I find it ironic that it's another big global security hole about which Windows users don't even have to be concerned about. False. All of my windows boxes needed to be updated. One of the first things I do on any new windows box is install cygwin to get a saner development environment with bash as my shell. Yea. I've been very tempted to put bash on my Win desktops as well. Heck, I may even have some old installation of msys/mingw bash still lying around somewhere. I wouldn't be shocked at all if other windows apps bundle bash for one reason or another too. It might not come as part of the base install (though given the huge pile of stuff that gets installed, I wouldn't put huge bets on it not lurking off in a dark corner somewhere), but that's not the end of the story. Yup, Git comes to mind. (Or at least Git GUI?) Don't know whether that actually exposes any attack vectors, but I guess that's kinda the big question everyone's trying to find out, isn't it? What are all the possible attack vectors of this flaw? Some of them have been discovered, but who knows what else there may be.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/01/2014 02:42 PM, Kagamin wrote: A have linux mint 12 installation with mint4win (wubi), on linux mint forums I was told, that updating from the latest repository won't work. I sympathize: http://www.linuxquestions.org/questions/linux-software-2/how-to-install-enlightenment-on-mint-15-a-4175492936/ That annoyance is why (aside from servers) I've switched to rolling-release distros. In my case, Debian Testing (which, as I've been told by others here, and can personally confirm, is much more stable than it's unfortunately-chosen name would suggest). I picked that one since I'm most familiar with the general Debian family of distros (apt-get and all). But I've heard good things about Arch too and may look into it. FWIW, I don't think all release-based distros are quite as aggressive as Mint with abandoning older releases. Even the super-outdated Debian 6 apparently still has some support via its LTS repos. I suspect Mint may need to do things that way just as a manpower issue. Mint's a popular distro, but I get the impression it's development is a relatively small grassroots thing with much more limited resources than say Debian or Ubuntu. (Of course, I could be wrong.)
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/01/2014 01:38 PM, Iain Buclaw via Digitalmars-d-announce wrote: One nice thing about Ubuntu is that they even give you access to future kernel versions through what they call HWE. In short, I can run a 14.04 LTS kernel on a 12.04 server, so that I'm able to use modern hardware and take advantage of software that uses features of Linux that are actively worked on (like LXC) on an older software stack. Is there anything similar in Debian?
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 20:45:14 UTC, Nick Sabalausky wrote: I suspect Mint may need to do things that way just as a manpower issue. Mint's a popular distro, but I get the impression it's development is a relatively small grassroots thing with much more limited resources than say Debian or Ubuntu. (Of course, I could be wrong.) This matches my observations too. It gained lot of popularity when Ubuntu switched to Unity as default desktop environment and Fedora moved with Gnome 3 - quite many users started looking for a distro with more conservative defaults. However its development / maintenance team does not seem to match that popularity burst.
[OT Security PSA] Shellshock: Update your bash, now!
Don't mean to be alarmist, but I'm posting this in case anyone else is
like me and hasn't been paying attention since this news broke (AIUI)
about a week ago.
Apparently bash has it's own heartbleed now, dubbed shellshock. Warm
fuzzy flashbacks of TMNT: The Arcade Game aside, this appears to be
pretty nasty *and* it affects pretty much every version of bash ever
released. And of course bash exists on practically everything,
so...pretty big deal. Security sites, blogs-o'-spheres, cloudosphere,
etc are all over this one. (Don't know how I managed to miss it until now.)
Patches have been issued (and likely more to come from what I gather), so:
Go update bash on all your computers and server, NOW. No, don't hit
reply, do it now. Personally, I'd keep updating fairly frequently until
the whole matter settles down a bit.
Since the security folks have been jumping at this, getting a fixed bash
should be trivial. Debian already has patched versions in its repos
(even for Debian 6 if you're using the LTS repo). Other distros likely
have patched versions now too. So you have no excuse!
More info:
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-vulnerability
https://startpage.com/do/search?query=bash+shellshock
HOW TO CHECK/UPDATE:
Test for vulnerability like this (supposed to be one line):
$ env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;};
echo Bash is vulnerable!' bash -c echo Bash Test
Update to a fixed bash:
Debian Testing (and probably Deb 7, though I don't have an installation
of 7 to confirm):
$ sudo apt-get update sudo apt-get install bash
Debian 6: (Including setting up the LTS repos):
$ sudo cat 'deb http://http.debian.net/debian squeeze-lts main contrib
non-free' /etc/apt/sources.list
$ sudo cat 'deb-src http://http.debian.net/debian squeeze-lts main
contrib non-free' /etc/apt/sources.list
$ sudo apt-get update sudo apt-get install bash
Other OSes/distros are likely equally easy. Please, reply with examples
to help ensure other people on the same OS/distro as you have no excuse
not to update!
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/01/2014 01:09 AM, Nick Sabalausky wrote: Debian 6: (Including setting up the LTS repos): $ sudo cat 'deb http://http.debian.net/debian squeeze-lts main contrib non-free' /etc/apt/sources.list $ sudo cat 'deb-src http://http.debian.net/debian squeeze-lts main contrib non-free' /etc/apt/sources.list $ sudo apt-get update sudo apt-get install bash Pffft, ok, so I'm a little brain-fried. Obviously those first two lines should be: $ sudo echo 'deb http://http.debian.net/debian squeeze-lts main contrib non-free' /etc/apt/sources.list $ sudo echo 'deb-src http://http.debian.net/debian squeeze-lts main contrib non-free' /etc/apt/sources.list Keep or omit the non-free and contrib as you wish. Or, you know, just get off of Debian 6 to say, Debian 7 or something ;)
