[App_rpt-users] NEW Security Issues

Doug Crompton doug at crompton.com
Thu Sep 25 21:15:47 UTC 2014


I totally agree. All this security talk you might think we were running national security servers. Human nature is sometimes so bizarre. People can be scared so easily and the media loves scaring people. But then sometimes it takes scare tactics to get someone to take action. Has anyone ever had an Allstar system compromised that was properly setup?

The fix is easy.

If you are running centos just do

yum update bash

The upcoming Beaglebone Black 1.2 release will have the fix.

Ubuntu auto updated today.

Other releases should have similar update paths.

Run this script at the Linux prompt to test -

 env X="() { :;} ; echo busted" `which bash` -c "echo completed"

If it returns busted then you have the problem.

One caveat - the current fixes are preliminary and have not gone through extensive testing to you might want to check for updates again in a fews day or weeks. 

73 Doug
WA3DSP
http://www.crompton.com/hamradio


> Date: Thu, 25 Sep 2014 16:29:30 -0400
> From: kb4fxc at inttek.net
> To: app_rpt-users at ohnosec.org
> Subject: Re: [App_rpt-users] NEW  Security Issues
> 
> 
> Hi Everyone,
> 
> I'm going to try to slow the panic here! WHY is this such a huge security
> concern for AllStar users????
> 
> The only remote attack vector that might be of concern is via the apache
> webserver. And, this is only a concern if you've got bash shell scripts in
> a publicly accessible cgi-bin directory. So, if you do have a vulnerable
> cgi-bin, just temporarily do a "chmod 700" on this directory and the
> problem is mitigated....Or, just stop the apache service entirely.
> 
> This vulnerability isn't like HeartBleed from several months ago. Nor does 
> it provide a means for privilege escalation.
> 
> Am I missing something???  (I hope not! I've got over 100 servers with 
> this vulnerability currently).
> 
> So, slow down and -plan- this fix. Don't break your system due to an 
> unneeded panic!
> 
> 
> 73, David KB4FXC
> 
> 
> 
> 
> 
> On Thu, 25 Sep 2014 mike at midnighteng.com wrote:
> 
> > 
> > The increase in recent hack attempts are the result of the resent knowlage of a fundamental bug in bash.
> > It was not a big deal till someone published the flaw before some patches could be issued.
> > 
> > Some folks set-ups are vulnerable. If you run HTTP, you certainly are.
> > 
> > Just a FYI...
> > 
> > SHELLSHOCK  - this is bigger and older than heartbleed.
> > 
> > It is a very big deal for "all" linux systems running http.
> > 
> > http://seclists.org/oss-sec/2014/q3/650       
> > 
> > to check your version of bash, type
> > 
> > cd /bin
> > bash --version
> > 
> > our acid installs should be at 3.2
> > Remote ssh devices are possibly at risk.
> > Current patches may not be entirely effective.
> > Much more to be known about this.
> > 
> > google shellshock for more info.
> > 
> > ...mike/kb8jnm
> > 
> > 
> > 
> > 
> 
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
> 
> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. 
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20140925/46aa63c4/attachment.html>


More information about the App_rpt-users mailing list