193 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Linuxfest at IBM Connect 2017
Sat, Feb 18th 2017 11
Come to IBM Connect 2017 and See Me Speak in the Developer’s Track!
Thu, Feb 16th 2017 13
Interesting in Going to IBM Connect 2017? Contact me for a $100 Discount
Thu, Jan 19th 2017 7
Notes Domino Templates Get Slated for an Update. Here’s the Roadmap
Mon, Oct 3rd 2016 8
Staying at The Top of Google Searches for Smart Phones
Thu, Sep 29th 2016 13
Awesome Linux Reference Sheets for Developers (and Administrators)
Tue, Sep 27th 2016 9
IMSMO 2.0 (Project Hawthorn) Expands Client Offerings, Crash Avoidance Tip, and an Updated Schema
Mon, Sep 26th 2016 11
Top 10
IBM Verse On-premises Architecture and Insight
Wed, Aug 3rd 2016 15
A Conversation with Barry Rosen, at IBM: Part I
Tue, Sep 20th 2016 15
Linux Bash Bug - Shellshock - is Real: Get Patched (Mac Too)
Thu, Sep 25th 2014 14
Staying at The Top of Google Searches for Smart Phones
Thu, Sep 29th 2016 13
Come to IBM Connect 2017 and See Me Speak in the Developer’s Track!
Thu, Feb 16th 2017 13
"Let’s Get Ready to Logjam!" -- The Need to Know About This New Exploit
Fri, May 22nd 2015 12
IBM Verse On-premises Third Post: Updated Schema, New Features
Thu, Sep 22nd 2016 12
Skype 4.3 on Linux Crashing? Here’s a Fix.
Tue, Aug 5th 2014 11
IMSMO 2.0 (Project Hawthorn) Expands Client Offerings, Crash Avoidance Tip, and an Updated Schema
Mon, Sep 26th 2016 11
Linuxfest at IBM Connect 2017
Sat, Feb 18th 2017 11


Linux Bash Bug - Shellshock - is Real: Get Patched (Mac Too)
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Bill Malchisky    

This is ugly, but fortunately you just have to update to a fixed Bash version and your fine (for now). No need to reboot your system either. Red Hat is out early on this and escalated this appropriately. Their first round of updates got all but one exploit permutation, so they re-issued another bug identifier and are working to close it soon.

Their initial timeline: Red Hat announced the bug on 14 Sep, had a proposed upstream patch seven hours later (0500h 15 Sep), backported it to Bash 3.0, 3.1, 3,2, 4.0, 4.1, and 4.2 three days later on 18 Sep; announced the release 1h later and made it public with an updated issue description six hours after that. Pretty impressive. On the 24th, Red Hat provided public documentation on this matter; six hours later it was reported that the fix is missing one exploit, so they are working to resolve that as I write this post. Things move fast in the world of open source.

Impact Statement
from Red Hat, provides direct prose for the next two sections. "Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)"

Abstract Update

Red Hat has become aware that the patch for
CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority.

How does this impact systems

This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.
All versions prior to those listed as updates for this issue are vulnerable to some degree.


Test If You Have The Bug

malchw@san-domino:~/Documents/$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


Positive Result

vulnerable

this is a test


Negative Result

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


Notations

1. Your response may be something similar and be just fine; the difference is getting noise versus a clean response as the positive result indicates
2. Run this check on any Apple Mac product running OS X, as tests show Macs are vulnerable too

Mitigation

Red Hat's Security Blog has a detailed analysis of which programs utilizing Bash can cause issues and why. "Bash specially-crafted environment variables code injection attack"


Resolution

Ideally, you need to be running bash-4.1.2-15 with current RHEL versions. Despite the bug's significance, the fix is really easy.
RHEL: #yum clean all && yum update bash
On my older RHEL 5 box: # rpm -Uvh bash-3.2-33.el5.1.i386.rpm

CentOS: #yum clean all && yum update bash
Ubuntu: $update-manager -or- $sudo apt-get update

If you know the version number, you can always specify it too (package name example is for RHEL6.5)
# yum update bash-4.1.2-15.el6_5.1


-OR-
Get the update manually and update the RPM -> https://rhn.redhat.com/rhn/errata/details/Packages.do?eid=27888

Note
: the "clean all" parameter above tells yum to clean all cached data, ensuring that bash can be updated more reliably, particularly with older systems; it may be considered optional on current systems


Distro Provided Resolution Documents

CentOS posted a document on the exploit and obtaining fixes through their list serv, "[CentOS] Critical update for bash released today."
Red Hat's is here: "Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) in Red Hat Enterprise Linux"
Novell/SUSE; bug report with patches here
Debian
Ubuntu

Example Output - CentOS 6.5

[root@localhost ~]# yum clean all && yum update bash

Loaded plugins: fastestmirror, refresh-packagekit, security

Cleaning repos: base extras updates

Cleaning up Everything

Cleaning up list of fastest mirrors

Loaded plugins: fastestmirror, refresh-packagekit, security

Determining fastest mirrors

* base: centos.chi.host-engine.com

* extras: cosmos.cites.illinois.edu

* updates: mirror.atlanticmetro.net

base                                                     | 3.7 kB     00:00    
base/primary_db                                          | 4.4 MB     00:05    
extras                                                   | 3.3 kB     00:00    
extras/primary_db                                        |  19 kB     00:00    
updates                                                  | 3.4 kB     00:00    
updates/primary_db                                       | 5.3 MB     00:06    
Setting up Update Process

Loaded plugins: fastestmirror, refresh-packagekit, security

Loading mirror speeds from cached hostfile

* base: mirrors.lga7.us.voxel.net

* extras: mirror.es.its.nyu.edu

* updates: centos.aol.com

Setting up Update Process

Resolving Dependencies

--> Running transaction check

---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated

---> Package bash.x86_64 0:4.1.2-15.el6_5.1 will be an update

--> Finished Dependency Resolution


Dependencies Resolved

================================================================================

Package       Arch            Version                   Repository        Size

================================================================================

Updating:

bash          x86_64          4.1.2-15.el6_5.1          updates          905 k


Transaction Summary

================================================================================

Upgrade       1 Package(s)


Total download size: 905 k

Is this ok [y/N]: y

Downloading Packages:

bash-4.1.2-15.el6_5.1.x86_64.rpm                         | 905 kB     00:00    
Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running Transaction

Updating   : bash-4.1.2-15.el6_5.1.x86_64                                 1/2
Cleanup    : bash-4.1.2-15.el6_4.x86_64                                   2/2
Verifying  : bash-4.1.2-15.el6_5.1.x86_64                                 1/2
Verifying  : bash-4.1.2-15.el6_4.x86_64                                   2/2

Updated:

bash.x86_64 0:4.1.2-15.el6_5.1                                                


Complete!



Quick and Dirty Work-around
, provided by Jake DePoy
# iptables --append INPUT -m string --algo kmp --hex-string '|28 29 20 7B|' --jump DROP


The Red Hat Customer Portal indicates the risk with the above work-around,
"Is not a good option because the attacker can easily send one or two characters per packet and avoid this signature easily. However, it may provide an overview of automated attempts at exploiting this vulnerability."

---------------------
http://www.BillMal.com/billmal/billmal.nsf/dx/patch-bash.htm
Sep 25, 2014
15 hits



Recent Blog Posts
11
Linuxfest at IBM Connect 2017
Sat, Feb 18th 2017 10:54p   Bill Malchisky Jr.
Hi Everyone! Just a quick update on Linuxfest... As I've been involved since Lotusphere 2010 offering the first two Linux Installfests with Joe Litton, and co-offered Linuxfest at Lotusphere, Connect, and ConnectED ever since, I wanted to take a moment and provide a quick update. Wes Morgan and I had a few conversations on this year's event and the new city. We both concluded with the new development schedule within IBM, the we should skip a year. Thus, Linuxfest VIII will be delayed a y
13
Come to IBM Connect 2017 and See Me Speak in the Developer’s Track!
Thu, Feb 16th 2017 7:10p   Bill Malchisky Jr.
Yes, for the first time, I'm speaking in the Development, Design and Tools track. A bit nervous and excited simultaneously. A new audience for me! Fortunately, I'll be co-presenting with Serdar Basegmez to ensure that everyone in the audience will receive quality information from multiple perspectives. Looking forward to attending IBM Connect 2017. See you in San Francisco! Back from the Dead: W/hen Bad Code Kills a Good Server Session link Calendar File: If you never sat-in on a
7
Interesting in Going to IBM Connect 2017? Contact me for a $100 Discount
Thu, Jan 19th 2017 3:06p   Bill Malchisky Jr.
Hi Everyone and Happy New Year to all of you. Best of luck in the new year. I have a couple of posts for IBM Connect in the works. Lets commence new year with a new discount. As an IBM Champion for 2017, IBM is allowing us to offer $100 discounts to friends who may be interested in attending. If you are on the fence, know that the session list is attractive with over 200 being offered. Success stories from customers will be on display, along with the technical labs returning as well. Thus, you c
8
Notes Domino Templates Get Slated for an Update. Here’s the Roadmap
Mon, Oct 3rd 2016 2:05a   Bill Malchisky Jr.
This is the first of two roadmap posts I authored for release this week. Beyond my post last month where I covered lightly that templates would be upgraded, Barry Rosen provided an updated roadmap with two slides covering just Notes Domino Templates. For simplicity, I copy-pasted the prose from the first slide to make it searchable, and appended the time table slide for the second. Nice to see some progress here too. Nice to see that they are filling in the hole created previously from multiple
13
Staying at The Top of Google Searches for Smart Phones
Thu, Sep 29th 2016 2:10a   Bill Malchisky Jr.
Although quality web developers have known for a while, Google wants you to be mobile friendly. Thus, if you want to stay at the top of Google web searches when the customer uses a smart phone, then your web site must display well on mobile phones. If not, Google will lower your weighting and you'll suddenly show farther down the list versus when the same search is performed on a desktop. But never fear, Google offers a free tool to check your site. As I thought this tool is handy, I wanted
9
Awesome Linux Reference Sheets for Developers (and Administrators)
Tue, Sep 27th 2016 2:03p   Bill Malchisky Jr.
A blog post for developers? Yes! Though it is not my first and will not be my last, it has been awhile. As an admin, this reference sheet is also helpful. I learned of a great Vim (vi Improved) reference sheet recently. There is a lot of information on a single sheet of paper, organized quite well and easy to use. If you need a handy reference sheet for vi commands... this is a good one to review. Although it works great in color, but he also offers a gray scale version and one for those with re
11
IMSMO 2.0 (Project Hawthorn) Expands Client Offerings, Crash Avoidance Tip, and an Updated Schema
Mon, Sep 26th 2016 3:17a   Bill Malchisky Jr.
On Thursday, 22 September, IBM Social Business Community Call where Luis Guirigay, Barry Rosen, and Scott Vrusho provided a quality session on IMSMO 2.0, IBM re-announced to a larger international audience new support for Outlook 2010 and 2016. This is exciting news to hear. At ICON US in May, Luis Guirigay stated that the new expanded client support would happen this year and at MWLUG 2016, IBM officially made the announcement--keeping their promise. In my working with the product over the past
12
IBM Verse On-premises Third Post: Updated Schema, New Features
Thu, Sep 22nd 2016 3:16a   Bill Malchisky Jr.
Preface In my previous two blog posts pertaining to Verse On-premises (VOP), please note that a few of the items below were covered here previously. This serves as a metric to ascertain what key items are likely to remain. As cited here on July 18, 2016, IBM is fully committed to and on-track to make a year-end release for this product. IBM is discussing a lot of new VOP items at events in multiple cities/countries; for example MWLUG in Austin, TX. Much of what I reported on August 3, 2016 rema
9
A Conversation with Barry Rosen, at IBM: Part II
Wed, Sep 21st 2016 2:01a   Bill Malchisky Jr.
Below is the completion of my interview with Barry Rosen, IBM Offering Manager for ICS. Enjoy! Notes 9.0.2 and Feature Packs * As indicated in the slide yesterday, the entire feature set of 9.0.2 will not be released into one Feature Pack (FP), but over four. Yes, the next four FPs will introduce what 9.0.2 would have offered. For some, this may be an eternity. Here is how I look at it: If we waited for 9.0.2 to actually be released, we would be looking at a late Q2 '17 release date at th
15
A Conversation with Barry Rosen, at IBM: Part I
Tue, Sep 20th 2016 2:02a   Bill Malchisky Jr.
During ICON UK 2016 in London, I took some time to talk with the IBM Offering Manager for ICS covering IBM Notes, Domino, Verse on Premises, and Sametime, Barry Rosen. Our initial Q&A turned into about a 30 minute dialogue, which I found quite informative. With his permission, I am posting the more interesting parts of our conversation. Acknowledging Reality To Reset the Norm IBM recognizes --- as do their customers and BPs --- that over the previous three years, they became a rudder




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition