Updated packages for the 'shellshock' bash vulnerabilities

Comments, suggestions, compliments, etc
User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Updated packages for the 'shellshock' bash vulnerabilities

Post by TrevorH » 2014/09/26 18:56:51

Updated packages that fix both CVE-2014-6271 and CVE-2014-7169 as well as CVE-2014-7186 and CVE-2014-7187 are available for CentOS 5, 6 and 7 and can be found by running yum update or yum update bash. If you do not see the fixed version then try running yum clean all then try one of the above commands again. Use rpm -q bash to see the currently installed version and compare it with the list below.

The fixed packages are:
CentOS 5 - bash-3.2-33.el5.1 (fixes CVE-2014-6271 only) and bash-3.2-33.el5_10.4 (fixes all CVEs)
CentOS 6 - bash-4.1.2-15.el6_5.1 (fixes CVE-2014-6172 only) and bash-4.1.2-15.el6_5.2 (fixes all CVEs)
CentOS 7 - bash-4.2.45-5.el7_0.2 (fixes CVE-2014-6271 only) and bash-4.2.45-5.el7_0.4 (fixes all CVEs)

In addition, when CentOS 5.11 is released then there will be a new update available immediately in the 5.11 updates repo which will be bash-3.2-33.el5_11.4 (fixes all CVEs)

You can check the rpm changelog using rpm -q --changelog bash | less and see the list of fixes.

If you think that you are still vulnerable after applying the fixed packages then first check that the copy of bash you are running is coming from /bin/bash by running which bash and if you see anything other than /bin/bash then investigate how a non-packaged copy of bash arrived on your system.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

vjpiyush
Posts: 22
Joined: 2014/09/08 05:52:28

Re: Updated packages for the 'shellshock' bash vulnerabiliti

Post by vjpiyush » 2014/09/30 06:00:26

We are using CentOS 6.2 , 6.4 , 6.5 different release .

As per the RedHat following are available (https://access.redhat.com/node/1207723), I couldn't find the download location for following rpm. Anybody has any idea?

Red Hat Enterprise Linux 6.2 Advanced Update Support - bash-4.1.2-9.el6_2.1
Red Hat Enterprise Linux 6.4 Extended Update Support - bash-4.1.2-15.el6_4.1

Can we upgrade any version of 6 (6.2 , 6.4) to bash-4.1.2-15.el6_5.2 ?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Updated packages for the 'shellshock' bash vulnerabiliti

Post by TrevorH » 2014/09/30 07:20:30

Those are paid-for Z stream updates. CentOS does not ship those. For CentOS, the only supported release is the current one in each major version so, currently, 5.10 (nearly 5.11), 6.5 and 7.0-1406.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

vjpiyush
Posts: 22
Joined: 2014/09/08 05:52:28

Re: Updated packages for the 'shellshock' bash vulnerabiliti

Post by vjpiyush » 2014/09/30 08:28:09

I have updated the bash-4.1.2-14.el6.x86_64.rpm (6.4) to bash-4.1.2-15.el6_5.2.x86_64 (6.5) , it is updated successfully , would like to know is it safe to upgrade like this to current version of rpm from centos 6.5 .

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Updated packages for the 'shellshock' bash vulnerabiliti

Post by TrevorH » 2014/09/30 08:37:05

There are numerous known and fixed security vulnerabilities in all releases except the most recent CentOS 6.5 plus all pending patches. CentOS 6.2 is about 3 years old and there have been hundreds of patches made since its release. It is not safe to run unpatched and should be updated ASAP.

You can see a long list of the fixes on the Redhat errata page https://rhn.redhat.com/errata/rhel-server-6-errata.html
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

caheodao
Posts: 1
Joined: 2014/09/30 10:12:00

Re: Updated packages for the 'shellshock' bash vulnerabiliti

Post by caheodao » 2014/09/30 10:20:12

Hi, since CentOS 3 was out of date so I just hope that there are some update packages for CentOS 3. Please let me know if anyone try to fix it in CentOS3...

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Updated packages for the 'shellshock' bash vulnerabiliti

Post by TrevorH » 2014/09/30 13:00:53

No, there are no updated packages for CentOS 3 as it went EOL on 31 October 2010. It's time to migrate to something that hasn't been unmaintained for 4 years.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

schedulerqueen
Posts: 2
Joined: 2014/10/03 03:34:24

Re: Updated packages for the 'shellshock' bash vulnerabiliti

Post by schedulerqueen » 2014/10/03 04:21:48

If I should post this elsewhere as well, please advise. Just a heads up in case anyone else is affected, as I believe I have a regression related to the shellshock patch(es) for CentOS 6, when trying to use the 'at' command; at jobs that fail with /bin/bash or /bin/sh work fine with /bin/csh.

So here's my CentOS 6 system with the latest patches I'm aware of already installed:

# yum list bash
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
epel/metalink | 12 kB 00:00
<...snip...> | 3.0 kB 00:00
Installed Packages
bash.x86_64 4.1.2-15.el6_5.2 @sl-security

Other bash operations have been going okay, but I have a (rare) need for the at cmd, so I was trying it, both using a here document (<<EOF), and later with a '-f scriptfile' argument.
[prod@master tmp]$ at -f ./at.test.sh now + 1 minutes
job 8 at 2014-10-03 03:44

Let's take a look at the at job:

[prod@master tmp]$ at -c 8
#!/bin/sh
# atrun uid=512 gid=512
# mail prod 0
umask 2
<...snip out huge environment variable list...>
G_BROKEN_FILENAMES=1; export G_BROKEN_FILENAMES
BASH_FUNC_module()=\(\)\ {\ \ eval\ \`/usr/bin/modulecmd\ bash\ \$\*\`"
"}; export BASH_FUNC_module()
OLDPWD=/home/prod/scripts; export OLDPWD
cd /tmp || {
echo 'Execution directory inaccessible' >&2
exit 1
}
${SHELL:-/bin/sh} << 'marcinDELIMITER22e888fc'
#!/bin/bash
touch ~/output/atjob.`date %H:%M:%S`.out

marcinDELIMITER22e888fc

#<end of at job listing>

So we see the BASH_FUNC_module line above; that seems to be what's new with the patch(es).

[prod@master tmp]$ at -c 8
Cannot find jobid 8

It's gone/done, but no output file, so the script failed:

[prod@master tmp]$ ls -l ~/output/atjob*out
ls: cannot access /home/prod/output/atjob*out: No such file or directory

Both the here-document and the -f file versions of the at job fail the same way, with the same error that gets sent to my email:

[prod@master tmp]$ mailx
Heirloom Mail version 12.4 7/29/08. Type ? for help.
"/var/spool/mail/prod": 7 messages 1 new 4 unread
<...snip...>
>N 7 Cluster user account Fri Oct 03 03:44 18/628 "Output from your job 8"
& 7
Message 7:
From prod@master Fri Oct 03 03:44:00 2014
Return-path: <prod@master>
Envelope-to: prod@master
Delivery-date: Fri, 03 Oct 2014 03:44:00 +0000
Date: Fri, 03 Oct 2014 03:44:00 +0000
Subject: Output from your job 8
To: prod@master
From: Cluster user account prod <prod@master>
Status: R

sh: line 48: syntax error near unexpected token `=\(\)\ {\ \ eval\ \`/usr/bin/modulecmd\ bash\ \$\*\`"
"}'
sh: line 48: `"}; export BASH_FUNC_module()'

& q

I can use /bin/csh for this purpose, but that's beside the point. I have some other systems that are at 4.1.2-15.el6_5.1; they fail the same way. I think this is related to the patch(es), and I can confirm that the failing job above works on an unpatched system.

Fyi,
Lyn

schedulerqueen
Posts: 2
Joined: 2014/10/03 03:34:24

Re: Updated packages for the 'shellshock' bash vulnerabiliti

Post by schedulerqueen » 2014/10/03 18:01:07

Following up, turns out the problem with 'at' is known:

https://bugzilla.redhat.com/show_bug.cgi?id=1147043

amunro
Posts: 5
Joined: 2014/10/20 13:28:24

Re: Updated packages for the 'shellshock' bash vulnerabiliti

Post by amunro » 2014/10/20 14:12:38

Got a wierd issue updating the centos bash 6 rpm back into the repo in cobbler. Our centos 6.5 repo is from the DVD1 and 2 merged. I put the rpm in the Packages folder, remove the older one and recreate the repo as below. Then kickstart a build and it complains about the %pre phase on installing dbus. On investigation, no sh (or bash) on the chroot /mnt/sysimage/bin! I do this for rhel6.5, centos 7.0 and redhat 7.0, and no issues; the updated bash rpm gets installed!

Code: Select all

DISTRO=cent6u6-x86_64
COMPSXML=$(ls /var/www/cobbler/ks_mirror/${DISTRO}/repodata/*comps*.xml)
createrepo -c cache -s sha --update --groupfile ${COMPSXML} /var/www/cobbler/ks_mirror/${DISTRO}
Note that the rhel distros get updated with the proper rpms from redhat and the centos distros get updated with the proper centos rpms.

Post Reply