Solved [Solved] CVE-2014-6271 and CVE-2014-7169 Bash vulnerability

Re: CVE-2014-6271 and CVE-2014-7169 Bash vulnerability

I was wondering the same thing after reading about these vulnerabilities yesterday. I'm on the mailing list for security updates, and I haven't seen anything released about bash; however, after updating my ports tree today on one of my FreeBSD 9.3 servers, it looks like there was a release yesterday:

Code: 
root@staginglms:/usr/ports/shells/bash # ls -l | grep Sep
-rw-r--r--  1 root  wheel  3096 Sep 24 12:05 Makefile
-rw-r--r--  1 root  wheel  3185 Sep 24 12:05 distinfo
drwxr-xr-x  2 root  wheel     9 Sep 25 08:33 files

The patch site for bash listed in its Makefile is ftp://ftp.cwru.edu/pub/bash. You can go to ftp://ftp.cwru.edu/pub/bash/bash-4.3-patches/bash43-025 to see the details of the latest patch, level 25, and you can see that the patch does cover these vulnerabilities.
 
Re: CVE-2014-6271 and CVE-2014-7169 Bash vulnerability

Update is in the portstree, no binary package update yet.
That's very slow and concerning.
 
Re: CVE-2014-6271 and CVE-2014-7169 Bash vulnerability

I'm a FreeBSD noob, any help getting bash updated? So far I ran portsnap update and extract and when I run portupgrade bash:
Code: 
[Reading data from pkg(8) ... - 33 packages found - done]

But the vulnerability is still there and I'm still on version 4.3.11.
 
Re: CVE-2014-6271 and CVE-2014-7169 Bash vulnerability

aronduby said:
I'm a FreeBSD noob, any help getting bash updated? So far I ran portsnap update and extract and when I run portupgrade bash:
Code: 
[Reading data from pkg(8) ... - 33 packages found - done]

But the vulnerability is still there and I'm still on version 4.3.11.
Click to expand...

Read portsnap(8), and look at the fetch directive. You can't update anything you did not fetch first.
 
Re: CVE-2014-6271 and CVE-2014-7169 Bash vulnerability

DutchDaemon said:
aronduby said:
I'm a FreeBSD noob, any help getting bash updated? So far I ran portsnap update and extract and when I run portupgrade bash:
Code: 
[Reading data from pkg(8) ... - 33 packages found - done]

But the vulnerability is still there and I'm still on version 4.3.11.
Click to expand...

Read portsnap(8), and look at the fetch directive. You can't update anything you did not fetch first.
Click to expand...

Just did a portsnap fetch and update and it says it's up to date. If I run pkg_version -v then I get:

Code: 
(port has 4.3.25_1)

So apparently I have it, I just can't seem to install it?
 
Re: CVE-2014-6271 and CVE-2014-7169 Bash vulnerability

pkg_version is deprecated, use pkg version.

What tells echo $BASH_VERSION?
 
Re: CVE-2014-6271 and CVE-2014-7169 Bash vulnerability

I guess this result. You have to run after portsnap fetch update the command portmaster -a.
(or portupgrade -a ... I think there will more ports needs updating than only bash).


(If you get:
Code: 
portmaster - command not found
--> cd /usr/ports/ports-mgmt/portmaster and make install clean).

Please, read:
https://www.freebsd.org/doc/handbook/updating-upgrading.html
 
Re: [Solved] CVE-2014-6271 and CVE-2014-7169 Bash vulnerabil

That ended up doing it, although I also had to update pkg. Any insight to why portupgrade -R bash wouldn't do it but portmaster worked?
 
Re: [Solved] CVE-2014-6271 and CVE-2014-7169 Bash vulnerabil

man portupgrade

-R
--upward-recursive Act on all those packages required by the given
packages as well. (When specified with -F, fetch
recursively, including the brand new, uninstalled
ports that an upgraded port requires)
Click to expand...
Portupgrade -R will work on packages depend on - in this case shell/bash. I think you have nothing installed that's depending on shell/bash. portupgrade -a (all) should do it.
 
Re: [Solved] CVE-2014-6271 and CVE-2014-7169 Bash vulnerabil

I didn't get an email about this even though I am on the security mailing list. :q
 
Re: [Solved] CVE-2014-6271 and CVE-2014-7169 Bash vulnerabil

manas said:
I didn't get an email about this even though I am on the security mailing list. :q
Click to expand...

It's not a security problem in the FreeBSD operating system but in third party software. If you look at the mailing list archives you'll find zero announcements concerning other third party software that have had some serious vulnerabilities, for example www/chromium.

There are separate tools for informing a user about vulnerabilities in ports and packages, all based on the FreeBSD VuXML database. The tool that you should be using now everytime you update ports or packages is pkg-audit(8)
 
Re: [Solved] CVE-2014-6271 and CVE-2014-7169 Bash vulnerabil

kpa said:
manas said:
I didn't get an email about this even though I am on the security mailing list. :q
Click to expand...

It's not a security problem in the FreeBSD operating system but in third party software. If you look at the mailing list archives you'll find zero announcements concerning other third party software that have had some serious vulnerabilities, for example www/chromium.
Click to expand...

Ah right. Thanks for clearing that up.
 
Re: [Solved] CVE-2014-6271 and CVE-2014-7169 Bash vulnerabil

Colleagues, there is a task to update bash (or change default shell on other) on the web server, because that is the default shell. On the server installed FreeBSD 7.2-RELEASE-p4, I got it from the previous administrator, therefore I can not answer at the moment, does nginx depend on bash or not, and if not, then we would have to change the default shell.

Colleagues, I have worked with BSD slightly, but the principles of ports and packages I know. I have very little time to deal with the finer points, because I still have other problems, so need your help. What most rapid / correct / safest way to solve this problem, can I solve this problem without updating the entire system?

Thank you for your time!
 
Re: [Solved] CVE-2014-6271 and CVE-2014-7169 Bash vulnerabil

First things first, FreeBSD 7.2 has been End-of-Life since June 2010 and is not supported anymore. I strongly advise you to upgrade to a supported version. Second, on FreeBSD bash is not installed by default. It is therefor not a default shell (unless the previous administrator configured it to be the default shell which is very unlikely).
 
Re: [Solved] CVE-2014-6271 and CVE-2014-7169 Bash vulnerabil

SirDice said:
First things first, FreeBSD 7.2 has been End-of-Life since June 2010 and is not supported anymore. I strongly advise you to upgrade to a supported version. Second, on FreeBSD bash is not installed by default. It is therefor not a default shell (unless the previous administrator configured it to be the default shell which is very unlikely).
Click to expand...
Unfortunately shell by default is BASH
Code: 
echo $SHELL
/usr/local/bin/bash

bash --version
GNU bash, version 4.1.7(0)-release (i386-portbld-freebsd7.2)
Can I compile bash from fresh source code for FreeBSD 7.2? Or just change to tcsh or sh shell?
 
Re: [Solved] CVE-2014-6271 and CVE-2014-7169 Bash vulnerabil

I suggest planning an upgrade of the system because the shellshock issue is the least of your worries. There have been numerous security issues since 7.2 went EoL and non of them are going to be fixed.
 
Re: [Solved] CVE-2014-6271 and CVE-2014-7169 Bash vulnerabil

pgreplife said:
Unfortunately shell by default is BASH
Code: 
echo $SHELL
/usr/local/bin/bash

bash --version
GNU bash, version 4.1.7(0)-release (i386-portbld-freebsd7.2)
Can I compile bash from fresh source code for FreeBSD 7.2? Or just change on tcsh or sh shell?
Click to expand...

Maybe, but not likely. Even if you succeed there are still multiple vulnerabilities in the operating system itself. I would worry more about that than fixing the bash vulnerabilities. As @SirDice already mentioned, the only way to secure the server is to update to a supported version of FreeBSD.
 
Last edited by a moderator:
Re: [Solved] CVE-2014-6271 and CVE-2014-7169 Bash vulnerabil

Not worth Bash, is vulnerability, in days past security experts were saying to the press the danger of using Bash.
According to the press was saying, millions of servers could be affected by the vulnerability of Bash, in free software. ;)
 
Re: [Solved] CVE-2014-6271 and CVE-2014-7169 Bash vulnerabil

Thank you colleagues for your advices and your time!
I think, at first I backup configs and data and next I install version 10 on test host and will be trying move all config and data.
 
You must log in or register to reply here.
Back
Top