Shellshock bash security update

udo said:
Hi,
the update was an normal debian-update and fix the vulnerability (AFAIK there was an update of the update - the first fix solved not all issues).

Udo
Click to expand...


Debian, Ubuntu and Redhat all did two releases to address the issue. If you have applied an update in the last 24 hours then you should be in good shape.

I wasn't aware of an exploit in the wild that targeted anything beyond apache. Is there such a beast or was Proxmox vulnerable in any of its recent incarnations?
 
the danger of this vulnerability has been blown way out of proportion by the media yet again. your system is only vulnerable to this particular exploit, if your system has inherent security flaws and youre asking for trouble in the first place:

- youre running (f)CGI
- using svn/git over ssh with ForceCommand
- using flawed dhcp clients (that store values they get from the server in ENV variables for no reason)

As such for a normal system there is no danger whatsoever.
 
The Official Squeeze Bash package is stuck at v4.1-3 and the LTS is also there:
https://packages.debian.org/squeeze/bash

Code: 
[TABLE]
[TR]
[TD]
[/TD]
[TD="class: title"][URL="https://news.ycombinator.com/item?id=8366568"]ModSecurity one-liner to fix Bash exploit[/URL][/TD]
[/TR]
[TR]
[TD="colspan: 1"][/TD]
[TD="class: subtext"][/TD]
[/TR]
[TR]
[/TR]
[TR]
[TD][/TD]
[TD]1. Insert the following line in your ModSecurity configuration file:SecRule REQUEST_HEADERS "()\s*{" "log,deny"
2. Restart Apache
[/TD]
[/TR]
[/TABLE]
 
Thanks for the info.

Looks like we must now add this repo to the Debian Appliance Builder (DAB) package and our OpenVZ template build files?

The typical Squeeze /etc/apt/sources.list file should now be:

Code: 
deb http://ftp.debian.org/debian squeeze main contrib

deb http://ftp.debian.org/debian squeeze-updates main contrib
deb http://ftp.debian.org/debian squeeze-lts main contrib

deb http://security.debian.org squeeze/updates main contrib
 
Hi all,

I've looked through these threads and am trying to update BASH on our Proxmox nodes. We currently have BASH 4.1.5(1)-release (from bash --version) and have done the following:

apt-get update
apt-get install --only-upgrade bash

But it just says "bash is already the newest version". According to this thread and others, there should be a patched version available.

Any ideas how I can get it to update?

Many thanks
 
Hello,
I use de version 2.3-13 of Proxmox.

All upgrade are up to date:
Lecture des informations d'état... Fait
0 mis à jour, 0 nouvellement installés, 0 à enlever et 0 non mis à jour.

This my original sources.list :
## Debian Squeeze sources.list
## Debian.org FR mirror
deb http://ftp.fr.debian.org/debian/ squeeze main contrib non-free
deb-src http://ftp.fr.debian.org/debian/ squeeze main contrib non-free
## Debian security updates
deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free
# PVE packages provided by proxmox.com
deb http://download.proxmox.com/debian squeeze pve

When i make this test: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

I have this result:
vulnerable
this is a test

So update at this time doesn't fix the vulnerability?
My sources list isn't correct?

Thanks for answer.
 
The squeeze-lts repo has the fixed version of bash.
Add the following line in your /etc/apt/sources.list file:
Code: 
[I]deb [URL]http://ftp.fr.debian.org/debian/[/URL] squeeze-lts main contrib non-free[/I]
Then do an apt-get update && apt-get dist-upgrade

This is the reason why the DAB.pm should be updated to include the said repo and is discussed and provided in another forum post.
 
So after updating the sources list, I find a bunch of updates:

root@hypo:~# aptitude dist-upgrade
The following packages will be upgraded:
apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common apt apt-utils bash bind9-host dnsutils fail2ban file
gnupg gnupg-curl gpgv libbind9-60 libc-bin libc-dev-bin libc6 libc6-dev libc6-i386 libcups2 libcurl3 libcurl3-gnutls libdns69
libgnutls26 libgpgme11 libgssapi-krb5-2 libgssrpc4 libisc62 libisccc60 libisccfg62 libk5crypto3 libkadm5clnt-mit7
libkadm5srv-mit7 libkdb5-4 libkrb5-3 libkrb5support0 liblua5.1-0 liblwres60 liblzo2-2 libmagic1 libnspr4-0d libnss3-1d
libssl0.9.8 libtiff4 libxml2 libxml2-dev libxml2-utils linux-libc-dev locales openssl procmail python-reportbug{b} python2.6
python2.6-minimal reportbug
57 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 39.4 MB of archives. After unpacking 524 kB will be used.
The following packages have unmet dependencies:
python-reportbug: Depends: python-debian which is a virtual package.
The following actions will resolve these dependencies:

Remove the following packages:
1) python-reportbug
2) reportbug



Accept this solution? [Y/n/q/?] n
Click to expand...

I don't know what reportbug dependencies will cause to fail so I just "aptitude upgrade bash" for now.

Has anyone gone through this full update with no errors? My servers are 250 miles away and I'm not scheduled to visit for a little while.
 
amace said:
So after updating the sources list, I find a bunch of updates:



I don't know what reportbug dependencies will cause to fail so I just "aptitude upgrade bash" for now.

Has anyone gone through this full update with no errors? My servers are 250 miles away and I'm not scheduled to visit for a little while.
Click to expand...
Hi,
but this isn't an proxmox-server?! Why should we know your dependencies of your software? ;-)

If you only won't to update bash use
Code: 
apt-get update && apt-get install --only-upgrade bash -y
Udo
 
squeeze-lts repo suooprts i386 and amd64 architectures only.

June 2014: The Debian project is pleased to announce that the Long Term Support (LTS) infrastructure to provide security updates for Debian GNU/Linux 6.0 (code name squeeze) until February 2016 is now in place. Users of this version should follow the instructions from the LTS wiki page to ensure that they get the LTS security updates.

Should Debian 6 LTS be a success, it would be repeated and generalized so that Debian 7 (wheezy) and Debian 8 (jessie) would also benefit from Long Term Support.

squeeze-lts is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success (with some overlap in people involved).

Make sure, the conditions of LTS fit to your system (arch: i386/amd64 only, several unsupported packages, you may use backports to get recent versions). Read the LTS FAQ.

Use Debian http redirection (trailing slash needed):
http://http.debian.net/debian/
http://http.debian.net/debian-backports/
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back