Project

General

Profile

Bug #1559

issue patch for bash shellshock vulnerability

Added by cpg about 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
09/25/2014
Due date:
% Done:

0%


Description

we need to issue an hda-ctl update with a dep on the latest patch released upstream.

History

#1 Updated by cpg about 6 years ago

  • Status changed from New to Assigned
  • Assignee set to cpg

#2 Updated by cpg about 6 years ago

  • Project changed from testmasters to platform

an update has been released for fedora 19 with bash bash 4.2.47-2.fc19 containing a fix for the "Shellshock”/CVE-2014-6271/CVE-2014-7169 vulnerability.

#3 Updated by cpg about 6 years ago

we have built and released to the amahi 7 repos an update to hda-ctl (hda-ctl-5.4.1) that contains a dependency on bash-4.2.47-2

#4 Updated by cpg about 6 years ago

  • Status changed from Assigned to Closed

#5 Updated by bigfoot65 about 6 years ago

  • Status changed from Closed to Assigned

The hda-ctl update does not work for me.

--> Running transaction check
---> Package hda-ctl.x86_64 0:5.4.0-1 will be updated
---> Package hda-ctl.x86_64 0:5.4.1-1 will be an update
--> Processing Dependency: bash >= 4.2.47-2.fc19 for package: hda-ctl-5.4.1-1.x86_64
--> Finished Dependency Resolution
Error: Package: hda-ctl-5.4.1-1.x86_64 (amahi)
Requires: bash >= 4.2.47-2.fc19
Installed: bash-4.2.47-1.fc19.x86_64 (@updates)
bash = 4.2.47-1.fc19
Available: bash-4.2.45-1.fc19.x86_64 (fedora)
bash = 4.2.45-1.fc19
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest

When I check for the new bash version, it is not available for me.

#6 Updated by cpg about 6 years ago

  • Assignee changed from cpg to bigfoot65

do yum clean metadata first.

#7 Updated by bigfoot65 about 6 years ago

  • Assignee changed from bigfoot65 to cpg

I did before trying to update. Just tried again with no luck.

#8 Updated by bigfoot65 about 6 years ago

Never mind, guess third time is a charm. I did the yum clean metadata all 3 times and finally on the last attempt it picked up the new bash.

Sorry for the false alarm.

#9 Updated by bigfoot65 about 6 years ago

  • Status changed from Assigned to Closed

#10 Updated by cpg about 6 years ago

there are lots of caching and distribution latency with mirrors on the upstream distribution, so what is surprising is that three times worked right away, maybe it picked up some other mirrors that had the updated packages.

Anyone wanting to know if it's fixed (at least on the current best levels), you can type this in the command line

env x='() { :;}; echo vulnerable' bash -c 'echo done'
<pre>

a fixed bash will look something like this:
</pre>
$ env x='() { :;}; echo vulnerable' bash -c 'echo done'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
done

and a bad bash will echo the word "vulnerable".

#11 Updated by cpg about 6 years ago

There was another update to bash (and it may not be the last one).

We just pushed an update of hda-ctl to the repos requiring bash >= 4.2.48-2.

Also available in: Atom