Bug #1559: issue patch for bash shellshock vulnerability - platform - Amahi Home Server Tracker

Bug #1559

issue patch for bash shellshock vulnerability

Added by cpg almost 8 years ago. Updated almost 8 years ago.

Status:

Closed

Priority:

Normal

Assignee:

cpg

Category:

Target version:

Start date:

09/25/2014

Due date:

% Done:

Description

we need to issue an hda-ctl update with a dep on the latest patch released upstream.

History

#1 Updated by cpg almost 8 years ago

Status changed from New to Assigned
Assignee set to cpg

#2 Updated by cpg almost 8 years ago

Project changed from testmasters to platform

an update has been released for fedora 19 with bash bash 4.2.47-2.fc19 containing a fix for the "Shellshock”/CVE-2014-6271/CVE-2014-7169 vulnerability.

#3 Updated by cpg almost 8 years ago

we have built and released to the amahi 7 repos an update to hda-ctl (hda-ctl-5.4.1) that contains a dependency on bash-4.2.47-2

#4 Updated by cpg almost 8 years ago

Status changed from Assigned to Closed

#5 Updated by bigfoot65 almost 8 years ago

Status changed from Closed to Assigned

The hda-ctl update does not work for me.

--> Running transaction check ---> Package hda-ctl.x86_64 0:5.4.0-1 will be updated ---> Package hda-ctl.x86_64 0:5.4.1-1 will be an update --> Processing Dependency: bash >= 4.2.47-2.fc19 for package: hda-ctl-5.4.1-1.x86_64 --> Finished Dependency Resolution Error: Package: hda-ctl-5.4.1-1.x86_64 (amahi) Requires: bash >= 4.2.47-2.fc19 Installed: bash-4.2.47-1.fc19.x86_64 (@updates) bash = 4.2.47-1.fc19 Available: bash-4.2.45-1.fc19.x86_64 (fedora) bash = 4.2.45-1.fc19 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest

When I check for the new bash version, it is not available for me.

#6 Updated by cpg almost 8 years ago

Assignee changed from cpg to bigfoot65

do yum clean metadata first.

#7 Updated by bigfoot65 almost 8 years ago

Assignee changed from bigfoot65 to cpg

I did before trying to update. Just tried again with no luck.

#8 Updated by bigfoot65 almost 8 years ago

Never mind, guess third time is a charm. I did the yum clean metadata all 3 times and finally on the last attempt it picked up the new bash.

Sorry for the false alarm.

#9 Updated by bigfoot65 almost 8 years ago

Status changed from Assigned to Closed

#10 Updated by cpg almost 8 years ago

there are lots of caching and distribution latency with mirrors on the upstream distribution, so what is surprising is that three times worked right away, maybe it picked up some other mirrors that had the updated packages.

Anyone wanting to know if it's fixed (at least on the current best levels), you can type this in the command line

env x='() { :;}; echo vulnerable' bash -c 'echo done'
<pre>

a fixed bash will look something like this:
</pre>
$ env x='() { :;}; echo vulnerable' bash -c 'echo done'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
done

and a bad bash will echo the word "vulnerable".

#11 Updated by cpg almost 8 years ago

There was another update to bash (and it may not be the last one).

We just pushed an update of hda-ctl to the repos requiring bash >= 4.2.48-2.

Also available in: Atom

Project

General

Profile

platform

Issues

Custom queries