Bug #1559
issue patch for bash shellshock vulnerability
0%
Description
we need to issue an hda-ctl update with a dep on the latest patch released upstream.
History
#1 Updated by cpg almost 8 years ago
- Status changed from New to Assigned
- Assignee set to cpg
#2 Updated by cpg almost 8 years ago
- Project changed from testmasters to platform
an update has been released for fedora 19 with bash bash 4.2.47-2.fc19 containing a fix for the "Shellshockâ/CVE-2014-6271/CVE-2014-7169 vulnerability.
#3 Updated by cpg almost 8 years ago
we have built and released to the amahi 7 repos an update to hda-ctl (hda-ctl-5.4.1) that contains a dependency on bash-4.2.47-2
#4 Updated by cpg almost 8 years ago
- Status changed from Assigned to Closed
#5 Updated by bigfoot65 almost 8 years ago
- Status changed from Closed to Assigned
The hda-ctl update does not work for me.
--> Running transaction check
---> Package hda-ctl.x86_64 0:5.4.0-1 will be updated
---> Package hda-ctl.x86_64 0:5.4.1-1 will be an update
--> Processing Dependency: bash >= 4.2.47-2.fc19 for package: hda-ctl-5.4.1-1.x86_64
--> Finished Dependency Resolution
Error: Package: hda-ctl-5.4.1-1.x86_64 (amahi)
Requires: bash >= 4.2.47-2.fc19
Installed: bash-4.2.47-1.fc19.x86_64 (@updates)
bash = 4.2.47-1.fc19
Available: bash-4.2.45-1.fc19.x86_64 (fedora)
bash = 4.2.45-1.fc19
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
When I check for the new bash version, it is not available for me.
#6 Updated by cpg almost 8 years ago
- Assignee changed from cpg to bigfoot65
do yum clean metadata first.
#7 Updated by bigfoot65 almost 8 years ago
- Assignee changed from bigfoot65 to cpg
I did before trying to update. Just tried again with no luck.
#8 Updated by bigfoot65 almost 8 years ago
Never mind, guess third time is a charm. I did the yum clean metadata all 3 times and finally on the last attempt it picked up the new bash.
Sorry for the false alarm.
#9 Updated by bigfoot65 almost 8 years ago
- Status changed from Assigned to Closed
#10 Updated by cpg almost 8 years ago
there are lots of caching and distribution latency with mirrors on the upstream distribution, so what is surprising is that three times worked right away, maybe it picked up some other mirrors that had the updated packages.
Anyone wanting to know if it's fixed (at least on the current best levels), you can type this in the command line
env x='() { :;}; echo vulnerable' bash -c 'echo done' <pre> a fixed bash will look something like this: </pre> $ env x='() { :;}; echo vulnerable' bash -c 'echo done' bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' done
and a bad bash will echo the word "vulnerable".
#11 Updated by cpg almost 8 years ago
There was another update to bash (and it may not be the last one).
We just pushed an update of hda-ctl to the repos requiring bash >= 4.2.48-2.
Also available in: Atom