[Triumf-linux-managers] Technical Alert - Bash patch (now codenamed "shellshock")
Andrew Daviel
advax at triumf.ca
Thu Sep 25 20:42:28 PDT 2014
The original patch released by RedHat (bash-3.2-env-inject.patch)
can be applied to RHEL 4 and RHEL 3 based systems fairly easily.
I have done this for SL3 i386 and SL4 i386 and placed them in
/triumfcs/mirror/triumf/legacy/bash == http://mirror/triumf/legacy/bash/
To install, "yum localinstall" (preferred) or "rpm -U"
You may need to add --force if RPM complains the current install is newer.
I built bash-2.05b-41.7a.i386.rpm and bash-3.0-27.ad.i386.rpm, signed with
the TRIUMF RPM key.
The modified SRPMs are in the same directory, to rebuild on x86_64 if
required.
The current patch is not a complete solution. If further patches are
available from RedHat I will back-port them also, unless someone gets
there ahead of me. This one was easy - just add one file to the
patch list in the specfile.
The story has been picked up by SANS - apparently some webservers have
already seen attempted exploits via CGI
https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellshock+/18707
https://isc.sans.edu/forums/diary/Webcast+Briefing+Bash+Code+Injection+Vulnerability/18709
- youtube video and PDF from Johannes B. Ullrich
Ideally, SL4 and earlier systems should be updated or replaced where
possible. SL3 is out of extended support, and SL4 is out of production.
The RHEL life cycle dates are summarized at
https://access.redhat.com/support/policy/updates/errata
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list