On 04/11/2014 03:36, Bob Friesenhahn wrote:
While it would be nice if Solaris software was all 64-bit, in actual
practice I notice no difference in day to day use between systems with
32-bit applications and 64-bit. Only certain memory-hungry
applications will significantly benefit.
We
4 ноября 2014 г. 4:36:39 CET, Bob Friesenhahn bfrie...@simple.dallas.tx.us
пишет:
On Mon, 3 Nov 2014, Bruce Lilly wrote:
As of this late date, /usr/bin/bash here is in fact the bash
executable,
not a link; but that means that it's 32-bit only and might well
present
unexpected issues on 64-bit
On Tue, 4 Nov 2014, david allan finch wrote:
On 04/11/2014 03:36, Bob Friesenhahn wrote:
While it would be nice if Solaris software was all 64-bit, in actual
practice I notice no difference in day to day use between systems with
32-bit applications and 64-bit. Only certain memory-hungry
On Tue, Nov 4, 2014 at 2:58 AM, Jim Klimov jimkli...@cos.ru wrote:
On Mon, 3 Nov 2014, Bruce Lilly wrote:
As of this late date, /usr/bin/bash here is in fact the bash
executable,
not a link; but that means that it's 32-bit only and might well
[...]
So most of the programs (thousands of
On Sat, Oct 4, 2014 at 11:05 AM, cpforum cpfo...@orange.fr wrote:
cd /usr/bin
mv bash bash-oi_151a9
ln -s /usr/local/bin/bash bash
While that would be reasonable under many operating systems, it *may*
present problems on Solaris-derived systems, especially 64-bit systems.
See
On Mon, 3 Nov 2014, Bruce Lilly wrote:
As of this late date, /usr/bin/bash here is in fact the bash executable,
not a link; but that means that it's 32-bit only and might well present
unexpected issues on 64-bit systems when dealing with large files etc.
(basically anything that involves
On 11/ 3/14 07:36 PM, Bob Friesenhahn wrote:
Perhaps time_t is still an issue.
It is. 32-bit binaries will not be able to handle time_t values past
January 2038, whether in API's to get the current time or to access
timestamps on files.
Thanks, Jon!
This makes me really happy with OI.
Actually this small advancement in OI /dev a9 makes me happier than all
great advancements in /hipster.
Regards,
Dmitry.
Jon Tibble has just pushed updated bash package with recent security
fixes to OI /dev a9.
Thanks from me too!
Thanks to all who keep OI alive!
-Oorspronkelijk bericht-
Van: Dmitry Kozhinov [mailto:d...@desktopfay.com]
Verzonden: dinsdag 14 oktober 2014 17:52
Aan: openindiana-discuss@openindiana.org
Onderwerp: Re: [OpenIndiana-discuss] Bash bug issue
Thanks, Jon!
This makes
Hello.
Jon Tibble has just pushed updated bash package with recent security
fixes to OI /dev a9. Just update your bash to
shell/bash@4.0.28,5.11-0.151.1.9:20140117T202904Z .
--
Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department
On 10/13/2014 17:19, Alexander Pyhalov wrote:
Hello.
Jon Tibble has just pushed updated bash package with recent security
fixes to OI /dev a9. Just update your bash to
shell/bash@4.0.28,5.11-0.151.1.9:20140117T202904Z .
Sorry, you want more fresh version -
Thanks for this!
On Mon, Oct 13, 2014 at 1:19 PM, Alexander Pyhalov a...@rsu.ru wrote:
Hello.
Jon Tibble has just pushed updated bash package with recent security fixes
to OI /dev a9. Just update your bash to
shell/bash@4.0.28,5.11-0.151.1.9:20140117T202904Z
.
--
Best regards,
On 14/10/2014 12:19 AM, Alexander Pyhalov wrote:
Hello.
Jon Tibble has just pushed updated bash package with recent security
fixes to OI /dev a9. Just update your bash to
shell/bash@4.0.28,5.11-0.151.1.9:20140117T202904Z .
Any chance that the same could be done for a8? I can't get to a9 - it
On 09/10/2014 14:18, Cal Sawyer wrote:
Thanks very much for the reply and the succinct description of what's
happened to OI development, Udo
Good luck to everyone who's using OI in actual production! Me and my
65TB need to leave the building :)
We have 400 TB and are still in...
--
Dr.Udo
On 10/ 5/14 10:40 PM, Bob Friesenhahn wrote:
On Mon, 6 Oct 2014, Ian Collins wrote:
Bob Friesenhahn wrote:
It is always good to execute 'gmake check' before installing sofware
that comes with a test suite. Some bash tests seem to fail.
If you check the comments printed by the tests, it
2014-10-03 11:55 GMT+02:00 Andreas Wacknitz a.wackn...@gmx.de:
What most people don’t understand is that OpenIndiana is YOURS.
OpenIndiana is just a name with no company behind.
If you want something and nobody else is doing it then do it by yourself.
So instead of taking notes you should
2014-10-06 9:31 GMT+02:00 Frank Van Damme frank.vanda...@gmail.com:
2014-10-03 11:55 GMT+02:00 Andreas Wacknitz a.wackn...@gmx.de:
What most people don’t understand is that OpenIndiana is YOURS.
OpenIndiana is just a name with no company behind.
If you want something and nobody else is doing
Per openindiana.org:
OpenIndiana is a robust enterprise operating system
If the only solutions being offered after nearly 2 weeks are a) use ksh because bash is
somehow inferior (shades of csh-is-deterimental) or 2. rebuild bash youself
from source, i'd have to say that imho it's the polar
On 06/10/2014 14:54, Cal Sawyer wrote:
...
If the only solutions being offered after nearly 2 weeks are a) use ksh because bash is
somehow inferior (shades of csh-is-deterimental) or 2. rebuild bash youself
from source, i'd have to say that imho it's the polar opposite and this appears to be
On Thu, Oct 2, 2014 at 8:12 AM, Alan Coopersmith
alan.coopersm...@oracle.com wrote:
On 10/ 2/14 07:00 AM, Brandon Hume wrote:
On many (most? all?) Linuxes, /bin/sh *is* /bin/bash.
Many, but not all - the Debian family and some others use a lighter weight,
POSIX compatible shell instead,
There are a lot of tools depending on bash. Including virusscanners and
spamfilters.
The openCSW bash installs into another directory then the real/old bash.
How can you change the old bash with the openCSW bash?
I saw that solaris 11.2 supports a lot of (old) sparc hardware. And most of
Search q-nap shellshock and you see how deep this goes...
On 6 oktober 2014 19:28:00 David Brodbeck bro...@uw.edu wrote:
On Thu, Oct 2, 2014 at 8:12 AM, Alan Coopersmith
alan.coopersm...@oracle.com wrote:
On 10/ 2/14 07:00 AM, Brandon Hume wrote:
On many (most? all?) Linuxes, /bin/sh
These aren't new aspects of the bug. The fact is that default operation of
systems using bash as the shell for interpolation with system or for
scripts interpreted by bash allows remote code execution by taking strings
from untrusted sources (e.g. USER_AGENT in web servers) and passing them
The gift keeps on giving. There is yet another related security patch
for bash. Here is the one for bash 4.3:
http://lists.gnu.org/archive/html/bug-bash/2014-10/msg00040.html
Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick
Which CVE is that, or is it something else?
On Oct 6, 2014, at 9:35 PM, Bob Friesenhahn bfrie...@simple.dallas.tx.us
wrote:
The gift keeps on giving. There is yet another related security patch for
bash. Here is the one for bash 4.3:
The -07 version of the solaris 10 Oracle patch is from last monday. Seems
to me it fixes all. But had little time to test it.
On 2 oktober 2014 17:24:00 Alan Coopersmith alan.coopersm...@oracle.com
wrote:
On 10/ 2/14 07:20 AM, Bob Friesenhahn wrote:
On Thu, 2 Oct 2014, Brandon Hume wrote:
Bob Friesenhahn wrote:
It is always good to execute 'gmake check' before installing sofware
that comes with a test suite. Some bash tests seem to fail.
If you check the comments printed by the tests, it looks like the
failures seen on Solaris based OS are expected.
I've been using 4.1.15
On Mon, 6 Oct 2014, Ian Collins wrote:
Bob Friesenhahn wrote:
It is always good to execute 'gmake check' before installing sofware
that comes with a test suite. Some bash tests seem to fail.
If you check the comments printed by the tests, it looks like the failures
seen on Solaris based OS
, to the extent permitted by law.
/usr/local/bin/bash
Verify it's OK
Then
cd /usr/bin
mv bash bash-oi_151a9
ln -s /usr/local/bin/bash bash
Message du 02/10/14 17:13
De : Alan Coopersmith
A : Discussion list for OpenIndiana
Copie à :
Objet : Re: [OpenIndiana-discuss] Bash bug issue
On 10
On Sat, 4 Oct 2014, cpforum wrote:
First : building openindiana a10 with updated commands (including a secure
bash) urge :-)
Second : because ksh is ten time powerfull and reliable than bash
leave bash and adopt ksh. If you want history put ' set -o emacs'
inside your .profile
ksh
Message du 04/10/14 17:28
De : Bob Friesenhahn
A : Discussion list for OpenIndiana
Copie à :
Objet : Re: [OpenIndiana-discuss] Bash bug issue
ksh provided by OpenIndiana is also outdated and broken. :-(
Your instructions are useful.
It is always good to execute 'gmake
2014-10-02 1:06 GMT+02:00 Bob Friesenhahn bfrie...@simple.dallas.tx.us:
I am not sure who has the ability to build and update OpenIndiana
packages, but it will be really really bad for the future of OpenIndiana if
it fails to supply a fixed version of its bash package.
I have only one system
Am 03.10.2014 um 11:49 schrieb Frank Van Damme frank.vanda...@gmail.com:
2014-10-02 1:06 GMT+02:00 Bob Friesenhahn bfrie...@simple.dallas.tx.us:
I am not sure who has the ability to build and update OpenIndiana
packages, but it will be really really bad for the future of OpenIndiana if
it
Has anyone tried to install the patched BASH version of
https://unixpackages.com [1] ?
It installs to a different location then the OI Bash and gives an error
:
bash --version
ld.so.1: bash: fatal: libintl.so.8: open failed: No such file or
directory Killed
does anyone have a solution
On 26/09/2014 8:47 PM, Gary Gendel wrote:
The current maintainer says it's been in bash for ~20 years, why it's
not in Solaris 10 is a mystery.
It is in Solaris 10. (And 11.) The test being used is flawed:
env X=() { :;} ; echo busted /bin/sh -c echo completed
This just tests whether
On 10/ 2/14 07:20 AM, Bob Friesenhahn wrote:
On Thu, 2 Oct 2014, Brandon Hume wrote:
On 26/09/2014 8:47 PM, Gary Gendel wrote:
The current maintainer says it's been in bash for ~20 years, why it's not in
Solaris 10 is a mystery.
It is in Solaris 10. (And 11.) The test being used is
On 10/ 2/14 07:00 AM, Brandon Hume wrote:
On many (most? all?) Linuxes, /bin/sh *is* /bin/bash.
Many, but not all - the Debian family and some others use a lighter weight,
POSIX compatible shell instead, dash, the Debian Almquist Shell; and many
embedded distros use BusyBox instead.
secured)
-Oorspronkelijk bericht-
Van: Alan Coopersmith [mailto:alan.coopersm...@oracle.com]
Verzonden: donderdag 2 oktober 2014 17:10
Aan: Discussion list for OpenIndiana
Onderwerp: Re: [OpenIndiana-discuss] Bash bug issue
On 10/ 2/14 07:20 AM, Bob Friesenhahn wrote:
On Thu, 2 Oct 2014
On 10/ 2/14 01:37 PM, outsider wrote:
It is very strange with the oracle updates for Solaris 10 11
Is far as I can see, Solaris 10 and Solaris 11 get different bash versions
after the patch.
They had different bash versions before the patch too. Upstream released
fixes for bash versions
So, do you mean that ksh93 does not have the vulnerability?
http://lists.research.att.com/pipermail/ast-developers/2014q3/003964.html
On Tue, Sep 30, 2014 at 10:02 AM, Bob Friesenhahn
bfrie...@simple.dallas.tx.us wrote:
On Tue, 30 Sep 2014, Jim Klimov wrote:
Maybe a stupid question on my
I am not sure who has the ability to build and update OpenIndiana
packages, but it will be really really bad for the future of
OpenIndiana if it fails to supply a fixed version of its bash package.
This article (including many example exploits) was posted on another
list:
I’m in a similar situation: Solaris 11 at home, without support contract. My
solution was to install OpenCSW’s updated bash (I had OpenCSW in place anyway),
move /usr/bin/bash out of the way, and symlink /opt/csw/bin/bash to
/usr/bin/bash.
Use a copy instead of a symlink if /opt is a
On Oct 1, 2014, at 7:06 PM, Bob Friesenhahn bfrie...@simple.dallas.tx.us
wrote:
I am not sure who has the ability to build and update OpenIndiana packages,
but it will be really really bad for the future of OpenIndiana if it fails to
supply a fixed version of its bash package.
This
Bruce Lilly bruce.li...@gmail.com writes:
http://lists.research.att.com/pipermail/ast-developers/2014q3/003964.html
Thanks for that... that is encouraging.
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
We have tested all our systems, and the only ones that were vulnerable (in
cgi-bin) were ones that we had put in a bash script to test.
if you don't have any bash scripts in your cgi-bin, and your default system
shll is not bash (and on Solaris, and Ubuntu it isn't) then you pretty much
aren't
On Tue, 30 Sep 2014, Jim Klimov wrote:
Maybe a stupid question on my side (sorry i'm overwhelmed with
relocation and other life events), but how really is this bug
exploitable? Especially on Solaris and illumos systems with sh/ksh
by default and assumed no scripted CGI (hosts of native or
On 25/09/2014 10:42, Jonathan Adams wrote:
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
does anyone know if this affects us?
As predicted, there's more bash horror (Score 11):
http://lcamtuf.blogspot.de/2014/09/bash-bug-apply-unofficial-patch-now.html
--
Dr.Udo Grabowski
paraphrasing Joshua from WarGames, bash is a strange game where the only
winning move is not to play.
J.
Sent from my iPhone
On Sep 29, 2014, at 2:43 AM, Udo Grabowski (IMK) udo.grabow...@kit.edu
wrote:
As predicted, there's more bash horror (Score 11):
Hopefully some kind person with necessary knowlege and access will
push an updated bash package which works on 151a8/9 so that servers
based on OpenIndiana are no longer a disaster situation. It might be
necessary to do this a few times until an official proper cure is
posted.
One service I
On 26 September 2014 20:04, Saso Kiselkov skiselkov...@gmail.com wrote:
The invoking shell is irrelevant. Here's your problem:
vvv
env X=() { :;} ; echo busted /bin/sh -c echo completed
^^^
Put bash in there and you'll
Gary Gendel g...@genashor.com writes:
I believe we mostly skirt the issue because, unlike Linux, the default
shell (/bin/sh) is ksh93 not bash. This means that under normal
conditions we shouldn't have an issue. Only if your cgi scripts
actually request bash will apache be a problem. As
On 26 September 2014 17:02, Harry Putnam rea...@newsguy.com wrote:
Gary Gendel g...@genashor.com writes:
I believe we mostly skirt the issue because, unlike Linux, the default
shell (/bin/sh) is ksh93 not bash. This means that under normal
conditions we shouldn't have an issue. Only if your
On 9/27/14, 1:41 AM, Nemo wrote:
On 26 September 2014 17:02, Harry Putnam rea...@newsguy.com wrote:
Gary Gendel g...@genashor.com writes:
I believe we mostly skirt the issue because, unlike Linux, the default
shell (/bin/sh) is ksh93 not bash. This means that under normal
conditions we
The current maintainer says it's been in bash for ~20 years, why it's
not in Solaris 10 is a mystery.
On 9/26/14, 7:41 PM, Nemo wrote:
On 26 September 2014 17:02, Harry Putnam rea...@newsguy.com wrote:
Gary Gendel g...@genashor.com writes:
I believe we mostly skirt the issue because, unlike
On 26 September 2014 19:44, Saso Kiselkov skiselkov...@gmail.com wrote:
On 9/27/14, 1:41 AM, Nemo wrote:
[...]
Whence does the OI bash source originate? On the bash that comes with
Solaris 10, the vulnerability is not present:
[~]= bash --version
GNU bash, version 3.00.16(1)-release
On 26 September 2014 19:47, Gary Gendel g...@genashor.com wrote:
The current maintainer says it's been in bash for ~20 years, why it's not in
Solaris 10 is a mystery.
If you which files, I can dig out the source from the companion disc
and compare.
N.
On 09/26/14 16:59, Nemo wrote:
[~]= echo $SHELL
/bin/bash
[~]= env X=() { :;} ; echo busted /bin/sh -c echo completed
completed
Note that I put bash into /bin to avoid GNUisms.
Try:
$ env X=() { :;} ; echo busted /bin/bash -c echo completed
___
On 9/27/14, 1:59 AM, Nemo wrote:
On 26 September 2014 19:44, Saso Kiselkov skiselkov...@gmail.com wrote:
On 9/27/14, 1:41 AM, Nemo wrote:
[...]
Whence does the OI bash source originate? On the bash that comes with
Solaris 10, the vulnerability is not present:
[~]= bash --version
GNU
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
does anyone know if this affects us?
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
I guess you can test it yourself:
$ env x='() { :;}; echo vulnerable' bash -c echo this is a test
2014-09-25 10:42 GMT+02:00 Jonathan Adams t12nsloo...@gmail.com:
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
does anyone know if this affects us?
Hi,
I have already upgraded from /hipster-2014.1 which has fix in it:
http://github.com/OpenIndiana/oi-userland/commit/35d2023cdaeba3486586ffb59e4f8a1ecc7a2c24
So, it affects all I guess, until bash is updated.
Regards.
On 09/25/14 10:42 AM, Jonathan Adams wrote:
On 25/09/2014 10:42, Jonathan Adams wrote:
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
The bug works, so we are affected with everything that
is based on bash, as well as all users using bash in their
projects.
This is a bug with high impact and risks, so a fix should be
available
On 09/25/2014 12:46, Udo Grabowski (IMK) wrote:
On 25/09/2014 10:42, Jonathan Adams wrote:
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
The bug works, so we are affected with everything that
is based on bash, as well as all users using bash in their
projects.
This is a bug with
On 25/09/2014 6:50 PM, Alexander Pyhalov wrote:
On 09/25/2014 12:46, Udo Grabowski (IMK) wrote:
On 25/09/2014 10:42, Jonathan Adams wrote:
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
The bug works, so we are affected with everything that
is based on bash, as well as all users
On 09/25/2014 15:08, Carl Brewer wrote:
On 25/09/2014 6:50 PM, Alexander Pyhalov wrote:
On 09/25/2014 12:46, Udo Grabowski (IMK) wrote:
On 25/09/2014 10:42, Jonathan Adams wrote:
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
The bug works, so we are affected with everything that
On 25/09/2014 13:08, Carl Brewer wrote:
On 25/09/2014 6:50 PM, Alexander Pyhalov wrote:
On 09/25/2014 12:46, Udo Grabowski (IMK) wrote:
On 25/09/2014 10:42, Jonathan Adams wrote:
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
The bug works, so we are affected with everything that
On 25/09/2014 9:28 PM, Alexander Pyhalov wrote:
On 09/25/2014 15:08, Carl Brewer wrote:
On 25/09/2014 6:50 PM, Alexander Pyhalov wrote:
On 09/25/2014 12:46, Udo Grabowski (IMK) wrote:
On 25/09/2014 10:42, Jonathan Adams wrote:
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
The
Don't get too up in a rush to upgrade bash. It's just been verified that
the patch isn't actually effective. :(
-brian
On Thu, Sep 25, 2014 at 09:31:52PM +1000, Carl Brewer wrote:
On 25/09/2014 9:28 PM, Alexander Pyhalov wrote:
On 09/25/2014 15:08, Carl Brewer wrote:
On 25/09/2014 6:50 PM,
On 09/25/2014 15:31, Carl Brewer wrote:
I wonder, I've tried in the past to bump this box to 151a9 but had
problems with messy pkg errors that I didn't have the time to sort out -
how stable is hipster these days? Stable enough to run a LAN server
with a couple of Virtualbox VM's on it?
On Thu, 25 Sep 2014, Udo Grabowski (IMK) wrote:
Recent discussions seem to lead to a general security concern
with the crippled bash parser, so there nearly certainly will
be more and more security issues in the next days to come up.
I think the better alternative is to provide 'dash' and
On 09/25/14 03:48 PM, Bob Friesenhahn wrote:
On Thu, 25 Sep 2014, Udo Grabowski (IMK) wrote:
Recent discussions seem to lead to a general security concern
with the crippled bash parser, so there nearly certainly will
be more and more security issues in the next days to come up.
I think the
In regard to: Re: [OpenIndiana-discuss] Bash bug issue, Bob Friesenhahn...:
Unfortunately, 'dash' is not completely compatible with scripts written for
'bash'. It is not clear to my why people write shell scripts targeting bash,
but it seems to happen often.
Two reasons:
- It's the all
for the user.
On 09/25/2014 01:04 PM, Tim Mooney wrote:
In regard to: Re: [OpenIndiana-discuss] Bash bug issue, Bob
Friesenhahn...:
Unfortunately, 'dash' is not completely compatible with scripts
written for 'bash'. It is not clear to my why people write shell
scripts targeting bash
for
the user.
On 09/25/2014 01:04 PM, Tim Mooney wrote:
In regard to: Re: [OpenIndiana-discuss] Bash bug issue, Bob
Friesenhahn...:
Unfortunately, 'dash' is not completely compatible with scripts written
for 'bash'. It is not clear to my why people write shell scripts targeting
bash
74 matches
Mail list logo