http://regeneracion.mx/red-libre/software-libre-como-unica-via-para-proteger-la-privacidad-julian-assange/
2014-09-29 20:32 GMT-03:00 Max Miorim <[email protected]>: > Saiu para outras já. No Debian, por exemplo, o pacote atualizado foi > disponibilizado já no dia 25/09. > > O que eu acho que ainda não tem patches "oficiais" é a essa segfault > (CVE-2014-7186) e a CVE-2014-7187. > > On Mon, Sep 29, 2014 at 7:56 PM, Sérgio Abrantes Junior < > [email protected]> wrote: > >> Parece que essa atualização saiu só pro slack. >> >> 2014-09-29 18:51 GMT-03:00 J. Tozo <[email protected]>: >> >> Instalei a ultima versão com o patch salvador do Florian Weimer e: >>> >>> root@host:/tmp# bash --version >>> GNU bash, version 4.2.50(2)-release (x86_64-slackware-linux-gnu) >>> Copyright (C) 2011 Free Software Foundation, Inc. >>> License GPLv3+: GNU GPL version 3 or later < >>> http://gnu.org/licenses/gpl.html> >>> >>> This is free software; you are free to change and redistribute it. >>> There is NO WARRANTY, to the extent permitted by law. >>> root@host:/tmp# ./bashcheck >>> Not vulnerable to CVE-2014-6271 (original shellshock) >>> Not vulnerable to CVE-2014-7169 (taviso bug) >>> ./bashcheck: line 18: 15852 Segmentation fault bash -c "true >>> $(printf '<<EOF %.0s' {1..79})" 2> /dev/null >>> Vulnerable to CVE-2014-7186 (redir_stack bug) >>> Test for CVE-2014-7187 not reliable without address sanitizer >>> Variable function parser inactive, likely safe from unknown parser bug >>> >>> Me preocupa especificamente esse Segfault ai >>> >>> Sep 29 18:42:04 host kernel: [5969481.075841] bash[15818]: segfault at >>> 4c5c450 ip 00000000004245c3 sp 00007fff49154740 error 4 in >>> bash[400000+e4000] >>> >>> Ja vi que o lcamtuf chegou em: >>> bash[3054]: segfault at 41414141 ip 00190d96 ... >>> >>> Chora. >>> >>> >>> On Mon, Sep 29, 2014 at 6:34 PM, Max Miorim <[email protected]> wrote: >>> >>>> Ah, isto aqui também é util: https://github.com/hannob/bashcheck >>>> >>>> É um shell script que diz quais das vulnerabilidades afetam a versão >>>> que tem instalado. >>>> >>>> On Mon, Sep 29, 2014 at 6:32 PM, Max Miorim <[email protected]> >>>> wrote: >>>> >>>>> Alguém ai já tentou usar o Slackware sem o bash ou pelo menos sem o >>>>> bash como /bin/sh? >>>>> >>>>> Eu sei que o Debian e os BSDs usam outros shells como /bin/sh (dash, >>>>> ash, ksh, pd-ksh e etc.) e lembro que quando eu tentei fazer isso, tive >>>>> problemas com a inicialização no Slackware (as arrays são coisas >>>>> específicas do bash, não é POSIX sh e algumas coisas como a configuração >>>>> de >>>>> rede dependem disso). >>>>> >>>>> On Mon, Sep 29, 2014 at 6:27 PM, J. Tozo <[email protected]> wrote: >>>>> >>>>>> Voltem das colinas! >>>>>> >>>>>> Mas não por muito tempo >>>>>> >>>>>> https://twitter.com/lcamtuf/status/516297412579581952 >>>>>> >>>>>> [image: tumblr_mml9mp9wCx1s9x8i6o1_400.gif (280×300)] >>>>>> >>>>>> >>>>>> >>>>>> ---------- Forwarded message ---------- >>>>>> From: Slackware Security Team <[email protected]> >>>>>> Date: Mon, Sep 29, 2014 at 4:33 PM >>>>>> Subject: [slackware-security] bash (SSA:2014-272-01) >>>>>> To: [email protected] >>>>>> >>>>>> >>>>>> >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> [slackware-security] bash (SSA:2014-272-01) >>>>>> >>>>>> New bash packages are available for Slackware 13.0, 13.1, 13.37, >>>>>> 14.0, 14.1, >>>>>> and -current to fix a security issue. >>>>>> >>>>>> >>>>>> Here are the details from the Slackware 14.1 ChangeLog: >>>>>> +--------------------------+ >>>>>> patches/packages/bash-4.2.050-i486-1_slack14.1.txz: Upgraded. >>>>>> Another bash update. Here's some information included with the >>>>>> patch: >>>>>> "This patch changes the encoding bash uses for exported functions >>>>>> to avoid >>>>>> clashes with shell variables and to avoid depending only on an >>>>>> environment >>>>>> variable's contents to determine whether or not to interpret it >>>>>> as a shell >>>>>> function." >>>>>> After this update, an environment variable will not go through the >>>>>> parser >>>>>> unless it follows this naming structure: BASH_FUNC_*%% >>>>>> Most scripts never expected to import functions from environment >>>>>> variables, >>>>>> so this change (although not backwards compatible) is not likely to >>>>>> break >>>>>> many existing scripts. It will, however, close off access to the >>>>>> parser as >>>>>> an attack surface in the vast majority of cases. There's already >>>>>> another >>>>>> vulnerability similar to CVE-2014-6271 for which there is not yet a >>>>>> fix, >>>>>> but this hardening patch prevents it (and likely many more similar >>>>>> ones). >>>>>> Thanks to Florian Weimer and Chet Ramey. >>>>>> (* Security fix *) >>>>>> +--------------------------+ >>>>>> >>>>>> >>>>>> Where to find the new packages: >>>>>> +-----------------------------+ >>>>>> >>>>>> Thanks to the friendly folks at the OSU Open Source Lab >>>>>> (http://osuosl.org) for donating FTP and rsync hosting >>>>>> to the Slackware project! :-) >>>>>> >>>>>> Also see the "Get Slack" section on http://slackware.com for >>>>>> additional mirror sites near you. >>>>>> >>>>>> Updated package for Slackware 13.0: >>>>>> >>>>>> ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bash-3.1.020-i486-1_slack13.0.txz >>>>>> >>>>>> Updated package for Slackware x86_64 13.0: >>>>>> >>>>>> ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bash-3.1.020-x86_64-1_slack13.0.txz >>>>>> >>>>>> Updated package for Slackware 13.1: >>>>>> >>>>>> ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bash-4.1.014-i486-1_slack13.1.txz >>>>>> >>>>>> Updated package for Slackware x86_64 13.1: >>>>>> >>>>>> ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bash-4.1.014-x86_64-1_slack13.1.txz >>>>>> >>>>>> Updated package for Slackware 13.37: >>>>>> >>>>>> ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bash-4.1.014-i486-1_slack13.37.txz >>>>>> >>>>>> Updated package for Slackware x86_64 13.37: >>>>>> >>>>>> ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bash-4.1.014-x86_64-1_slack13.37.txz >>>>>> >>>>>> Updated package for Slackware 14.0: >>>>>> >>>>>> ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bash-4.2.050-i486-1_slack14.0.txz >>>>>> >>>>>> Updated package for Slackware x86_64 14.0: >>>>>> >>>>>> ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bash-4.2.050-x86_64-1_slack14.0.txz >>>>>> >>>>>> Updated package for Slackware 14.1: >>>>>> >>>>>> ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bash-4.2.050-i486-1_slack14.1.txz >>>>>> >>>>>> Updated package for Slackware x86_64 14.1: >>>>>> >>>>>> ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bash-4.2.050-x86_64-1_slack14.1.txz >>>>>> >>>>>> Updated package for Slackware -current: >>>>>> >>>>>> ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/bash-4.3.027-i486-1.txz >>>>>> >>>>>> Updated package for Slackware x86_64 -current: >>>>>> >>>>>> ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/bash-4.3.027-x86_64-1.txz >>>>>> >>>>>> >>>>>> MD5 signatures: >>>>>> +-------------+ >>>>>> >>>>>> Slackware 13.0 package: >>>>>> 8b5f50012f3c7b18474d7cf19f2be2bb bash-3.1.020-i486-1_slack13.0.txz >>>>>> >>>>>> Slackware x86_64 13.0 package: >>>>>> 3cbe8607bf2209e694320f6416f1cd04 bash-3.1.020-x86_64-1_slack13.0.txz >>>>>> >>>>>> Slackware 13.1 package: >>>>>> c674f9b681c144c32aba0923303d789b bash-4.1.014-i486-1_slack13.1.txz >>>>>> >>>>>> Slackware x86_64 13.1 package: >>>>>> 223fc7505cd2dedd99b79d7f510e749c bash-4.1.014-x86_64-1_slack13.1.txz >>>>>> >>>>>> Slackware 13.37 package: >>>>>> 4b4e4df9e4e949637a641a94aab35765 bash-4.1.014-i486-1_slack13.37.txz >>>>>> >>>>>> Slackware x86_64 13.37 package: >>>>>> 35f35367efd279d2001de989f366b972 bash-4.1.014-x86_64-1_slack13.37.txz >>>>>> >>>>>> Slackware 14.0 package: >>>>>> 19cb9e04683c9020417490047f20b40d bash-4.2.050-i486-1_slack14.0.txz >>>>>> >>>>>> Slackware x86_64 14.0 package: >>>>>> 10bc930d1dd85cf3446f454b129e2bc7 bash-4.2.050-x86_64-1_slack14.0.txz >>>>>> >>>>>> Slackware 14.1 package: >>>>>> 1d1f8137b674813bf7f070b66ad713b1 bash-4.2.050-i486-1_slack14.1.txz >>>>>> >>>>>> Slackware x86_64 14.1 package: >>>>>> e80cc985c6112aea20d0ba0eb2821d03 bash-4.2.050-x86_64-1_slack14.1.txz >>>>>> >>>>>> Slackware -current package: >>>>>> 175685f32cfa87da1c9d7cdfb42786c5 a/bash-4.3.027-i486-1.txz >>>>>> >>>>>> Slackware x86_64 -current package: >>>>>> 34a83642b058fa40e6f441c6161e2208 a/bash-4.3.027-x86_64-1.txz >>>>>> >>>>>> >>>>>> Installation instructions: >>>>>> +------------------------+ >>>>>> >>>>>> Upgrade the package as root: >>>>>> # upgradepkg bash-4.2.050-i486-1_slack14.1.txz >>>>>> >>>>>> >>>>>> +-----+ >>>>>> >>>>>> Slackware Linux Security Team >>>>>> http://slackware.com/gpg-key >>>>>> [email protected] >>>>>> >>>>>> >>>>>> +------------------------------------------------------------------------+ >>>>>> | To leave the slackware-security mailing list: >>>>>> | >>>>>> >>>>>> +------------------------------------------------------------------------+ >>>>>> | Send an email to [email protected] with this text in the >>>>>> body of | >>>>>> | the email message: >>>>>> | >>>>>> | >>>>>> | >>>>>> | unsubscribe slackware-security >>>>>> | >>>>>> | >>>>>> | >>>>>> | You will get a confirmation message back containing instructions >>>>>> to | >>>>>> | complete the process. Please do not reply to this email address. >>>>>> | >>>>>> >>>>>> +------------------------------------------------------------------------+ >>>>>> -----BEGIN PGP SIGNATURE----- >>>>>> Version: GnuPG v1 >>>>>> >>>>>> iEYEARECAAYFAlQpqCoACgkQakRjwEAQIjPD0QCfSmNXkeHavRJjRtENMC13Rtx6 >>>>>> DsYAn1fsM+SOgqVuB7URSJtSKrmtPvr8 >>>>>> =Xi8W >>>>>> -----END PGP SIGNATURE----- >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Grato, >>>>>> >>>>>> Tozo >>>>>> >>>>>> -- >>>>>> GUS-BR - Grupo de Usuários de Slackware Brasil >>>>>> http://www.slackwarebrasil.org/ >>>>>> http://groups.google.com/group/slack-users-br >>>>>> >>>>>> Antes de perguntar: >>>>>> >>>>>> http://www.vivaolinux.com.br/artigo/Como-elaborar-perguntas-para-listas-de-discussao >>>>>> >>>>>> Para sair da lista envie um e-mail para: >>>>>> [email protected] >>>>>> --- >>>>>> Você recebeu essa mensagem porque está inscrito no grupo "Slackware >>>>>> Users Group - Brazil" dos Grupos do Google. >>>>>> Para cancelar inscrição nesse grupo e parar de receber e-mails dele, >>>>>> envie um e-mail para [email protected]. >>>>>> Para mais opções, acesse https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> >>>> -- >>>> GUS-BR - Grupo de Usuários de Slackware Brasil >>>> http://www.slackwarebrasil.org/ >>>> http://groups.google.com/group/slack-users-br >>>> >>>> Antes de perguntar: >>>> >>>> http://www.vivaolinux.com.br/artigo/Como-elaborar-perguntas-para-listas-de-discussao >>>> >>>> Para sair da lista envie um e-mail para: >>>> [email protected] >>>> --- >>>> Você recebeu essa mensagem porque está inscrito no grupo "Slackware >>>> Users Group - Brazil" dos Grupos do Google. >>>> Para cancelar inscrição nesse grupo e parar de receber e-mails dele, >>>> envie um e-mail para [email protected]. >>>> Para mais opções, acesse https://groups.google.com/d/optout. >>>> >>> >>> >>> >>> -- >>> Grato, >>> >>> Tozo >>> >>> -- >>> GUS-BR - Grupo de Usuários de Slackware Brasil >>> http://www.slackwarebrasil.org/ >>> http://groups.google.com/group/slack-users-br >>> >>> Antes de perguntar: >>> >>> http://www.vivaolinux.com.br/artigo/Como-elaborar-perguntas-para-listas-de-discussao >>> >>> Para sair da lista envie um e-mail para: >>> [email protected] >>> --- >>> Você recebeu essa mensagem porque está inscrito no grupo "Slackware >>> Users Group - Brazil" dos Grupos do Google. >>> Para cancelar inscrição nesse grupo e parar de receber e-mails dele, >>> envie um e-mail para [email protected]. >>> Para mais opções, acesse https://groups.google.com/d/optout. >>> >> >> -- >> GUS-BR - Grupo de Usuários de Slackware Brasil >> http://www.slackwarebrasil.org/ >> http://groups.google.com/group/slack-users-br >> >> Antes de perguntar: >> >> http://www.vivaolinux.com.br/artigo/Como-elaborar-perguntas-para-listas-de-discussao >> >> Para sair da lista envie um e-mail para: >> [email protected] >> --- >> Você recebeu essa mensagem porque está inscrito no grupo "Slackware Users >> Group - Brazil" dos Grupos do Google. >> Para cancelar inscrição nesse grupo e parar de receber e-mails dele, >> envie um e-mail para [email protected]. >> Para mais opções, acesse https://groups.google.com/d/optout. >> > > -- > GUS-BR - Grupo de Usuários de Slackware Brasil > http://www.slackwarebrasil.org/ > http://groups.google.com/group/slack-users-br > > Antes de perguntar: > > http://www.vivaolinux.com.br/artigo/Como-elaborar-perguntas-para-listas-de-discussao > > Para sair da lista envie um e-mail para: > [email protected] > --- > Você recebeu essa mensagem porque está inscrito no grupo "Slackware Users > Group - Brazil" dos Grupos do Google. > Para cancelar inscrição nesse grupo e parar de receber e-mails dele, envie > um e-mail para [email protected]. > Para mais opções, acesse https://groups.google.com/d/optout. > -- GUS-BR - Grupo de Usuários de Slackware Brasil http://www.slackwarebrasil.org/ http://groups.google.com/group/slack-users-br Antes de perguntar: http://www.vivaolinux.com.br/artigo/Como-elaborar-perguntas-para-listas-de-discussao Para sair da lista envie um e-mail para: [email protected] --- Você está recebendo esta mensagem porque se inscreveu no grupo "Slackware Users Group - Brazil" dos Grupos do Google. Para cancelar inscrição nesse grupo e parar de receber e-mails dele, envie um e-mail para [email protected]. Para obter mais opções, acesse https://groups.google.com/d/optout.
