More information below. But take note, some Patches below are partial fix and another patch is needed to fully fix it.
To complicate things, Redhat investigation of source code found another issue in the bash parser, and is developing another patch to fix it too. So, there you go. 1,2 3 punch for bash. So, some of the links may have incorporated 1 or only 2 patches. The only one that i know of, that incorporates all 3 patches is Debian. Probably redhat, have not personally verified yet. Debian - fix - https://www.debian.org/security/2014/dsa-3035 https://www.debian.org/security/2014/dsa-3032 CentOS - fix - http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html RedHat - fix - https://rhn.redhat.com/errata/RHSA-2014-1293.html & https://access.redhat.com/articles/1200223 Novell/SUSE - fix - http://support.novell.com/security/cve/CVE-2014-6271.html Oracle Linux - fix - http://linux.oracle.com/cve/CVE-2014-6271.html AIX - none yet - PMR has been created. But, default installation for AIX bash is not part of it unless you install AIX Linux Toolbox. HP-UX - don't know Solaris - fix - IDR patch for Solaris 8 to 11. none for Solaris 7 and below, but it's an easy recompile from source. https://support.oracle.com regards, Andre | 416-400-2257 | http://www.varon.ca On Fri, Sep 26, 2014 at 12:44 AM, Drexx Laggui [personal] <[email protected]> wrote: > 26Sep2014 (UTC +8) > > I presume most of you have heard the news about Shellshock already. > Here are more actionable information about the issue. > > Some are saying it's as big as a problem as Heartbleed, but my gut > feeling disagrees. I maybe wrong though. > > ******************** > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > SANS FLASH REPORT: The Shellshock vulnerability: What you should do now. > > September 25, 2014 > > Shellshock merits this FLASH report because it is so widespread and so > easy to exploit on systems like your firewalls and web servers and > other similarly important servers running LINUX. > > > Johannes Ullrich, Director of SANS Internet Storm Center just updated > a brief webcast to provide authoritative answers to the five questions > we are being asked: > > 1. How important is Shellshock (which specific types of systems can > actually be exploited now)? > > 2. What is the primary way that this vulnerability is being exploited? > > 3. What went wrong? Where did the vulnerability come from? > > 4. How can you find out which of your systems are vulnerable? and How > easy it is for attackers to find the vulnerable systems on your > network? > > 5. How can you protect yourself? > > You can see the slides and listen to his briefing at: > > https://isc.sans.edu/forums/diary/Webcast+Briefing+Bash+Code+Injection+Vulnerability/18709 > > Storm Center has also posted a FAQ which is being updated as new data is > found: > > https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellshock+/18707 > > Alan Paller, Director of Research, SANS institute > [...] > ******************** > > > > > Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA > http://www.laggui.com ( Manila & California ) > Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer > PGP fingerprint = 0117 15C5 F3B1 6564 59EA 6013 1308 9A66 41A2 3F9B > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph >
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
