Re: [OT Security PSA] Shellshock: Update your bash, now!
On 1 October 2014 06:09, Nick Sabalausky via Digitalmars-d-announce digitalmars-d-announce@puremagic.com wrote: Don't mean to be alarmist, but I'm posting this in case anyone else is like me and hasn't been paying attention since this news broke (AIUI) about a week ago. Apparently bash has it's own heartbleed now, dubbed shellshock. Warm fuzzy flashbacks of TMNT: The Arcade Game aside, this appears to be pretty nasty *and* it affects pretty much every version of bash ever released. And of course bash exists on practically everything, so...pretty big deal. Security sites, blogs-o'-spheres, cloudosphere, etc are all over this one. (Don't know how I managed to miss it until now.) Patches have been issued (and likely more to come from what I gather), so: Go update bash on all your computers and server, NOW. No, don't hit reply, do it now. Personally, I'd keep updating fairly frequently until the whole matter settles down a bit. At work we do two things: 1) Add our main email to the Debian Security ML, so we tend to know about any vulnerabilities that need patching at least 24 hours before it hits the media. 2) Use an automated configuration management system, such as Puppet. By the time we read the initial email, the fix had already been applied to all servers without manual intervention. ;) Of course, merely updating your packages is not enough to keep you safe. You must also consider which front-end facing applications are using the now patched software, and restart it. grep libvulnerable /proc/*/maps | grep deleted Iain
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/1/14 1:09 AM, Nick Sabalausky wrote: Patches have been issued (and likely more to come from what I gather), so: FWIW, MacOS X now has an update for bash that fixes the bug, apparently came out last night. http://support.apple.com/kb/HT6495 -Steve
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote: Other OSes/distros are likely equally easy. Please, reply with examples to help ensure other people on the same OS/distro as you have no excuse not to update! I find it ironic that it's another big global security hole about which Windows users don't even have to be concerned about.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 13:41:43 UTC, JN wrote: On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote: I find it ironic that it's another big global security hole about which Windows users don't even have to be concerned about. That's of course very true, since Windows runs on no serious servers.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 13:58:25 UTC, eles wrote: On Wednesday, 1 October 2014 at 13:41:43 UTC, JN wrote: On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote: I find it ironic that it's another big global security hole about which Windows users don't even have to be concerned about. That's of course very true, since Windows runs on no serious servers. You would be surprised how some Fortune 500 companies are doing their serious work in 100% Windows servers. Sadly I need to comply with NDAs. -- Paulo
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 14:29:16 UTC, Paulo Pinto wrote: You would be surprised how some Fortune 500 companies are doing their serious work in 100% Windows servers. Sadly I need to comply with NDAs. Isn't NASDAQ enough?
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote: Apparently bash has it's own heartbleed now, dubbed shellshock. Does it affect dash? Also, how does one update software on linux? Last I checked, when new version is out, repository of the previous version becomes utterly abandoned. A pity, on windows one can roll new software versions as long as they are maintained.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 14:44:06 UTC, Kagamin wrote: Also, how does one update software on linux? Last I checked, when new version is out, repository of the previous version becomes utterly abandoned. A pity, on windows one can roll new software versions as long as they are maintained. This claim is so strange I can't even understand what it is about. Which repositories get abandoned?
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 14:44:06 UTC, Kagamin wrote: On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote: Does it affect dash? No. It is a bashism, ie an extension specific to Bash. Busybox users are not concerned neither. A pity, on windows one can roll new software versions as long as they are maintained. It depends on the software (many abandoned Windows XP while still officially supported) and you shall not ask about the quality of this software neither. Is not the same effort that goes into legacy versions that it goes into newer versions. BTW updating software on Windows is the PITAst of all ever (except maybe some medieval tortures). You have to install software manually, software after software. The first thing that I love in Linux is the centralized update.
Re: Digger 1.0
On Tuesday, 30 September 2014 at 09:35:20 UTC, Marco Leise wrote: So why would Apple be able to get away with 1GB on its just released iPhone 6? Maybe 1048576 kilobytes is enough for everyone? ARC is more memory efficient than mark sweep GC like Javascript uses. Though a lot of it is just that iOS developers are simply very careful about memory use. Writing a performant game in iOS is really quite hard because of the memory constraints.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/1/14 12:57 PM, Kagamin wrote: On Wednesday, 1 October 2014 at 15:48:58 UTC, Dicebot wrote: This claim is so strange I can't even understand what it is about. Which repositories get abandoned? Repositories of the not latest version of the OS. Because only latest version receives development. That is, if the OS doesn't have rolling updates. https://wiki.ubuntu.com/LTS -Steve
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 16:57:07 UTC, Kagamin wrote: On Wednesday, 1 October 2014 at 15:45:26 UTC, eles wrote: Repositories of the not latest version of the OS. Because only latest version receives development. That is, if the OS doesn't have rolling updates. What is the difference wrt Microsoft phasing out a Windows version? Except tha upgrading from Windows to Windows is such a PITA that even the Brazen Bull seems to be just a nice couch.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 1 October 2014 18:12, Steven Schveighoffer via Digitalmars-d-announce digitalmars-d-announce@puremagic.com wrote: On 10/1/14 12:57 PM, Kagamin wrote: On Wednesday, 1 October 2014 at 15:48:58 UTC, Dicebot wrote: This claim is so strange I can't even understand what it is about. Which repositories get abandoned? Repositories of the not latest version of the OS. Because only latest version receives development. That is, if the OS doesn't have rolling updates. https://wiki.ubuntu.com/LTS One nice thing about Ubuntu is that they even give you access to future kernel versions through what they call HWE. In short, I can run a 14.04 LTS kernel on a 12.04 server, so that I'm able to use modern hardware and take advantage of software that uses features of Linux that are actively worked on (like LXC) on an older software stack. Iain.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 16:57:07 UTC, Kagamin wrote: On Wednesday, 1 October 2014 at 15:45:26 UTC, eles wrote: The first thing that I love in Linux is the centralized update. The downside is it's taken down centrally too, while distributed windows software continues to work independently of each other. On Wednesday, 1 October 2014 at 15:48:58 UTC, Dicebot wrote: This claim is so strange I can't even understand what it is about. Which repositories get abandoned? Repositories of the not latest version of the OS. Because only latest version receives development. That is, if the OS doesn't have rolling updates. This is simply telling lies, sorry. All distros that don't have rolling release model provide LTS versions that get all important updates (including security updates, of course) for years. For example Ubuntu LTS lasts for 4 years where one can count on fast updates. And even after that period your distro does not disappear magically, you are simply force to install necessary updates manually (as opposed to 1 click / command update from repo), basically getting you back to Windows _default_ state of things.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 18:42:41 UTC, Kagamin wrote: A have linux mint 12 installation with mint4win (wubi), on linux mint forums I was told, that updating from the latest repository won't work. I would be grateful, if you explain, how to upgrade it to the latest version. Yeah, theoretically it should be able to just overwrite files on disk without paying much attention to disk nature. Linux Mint 12 is not LTS release (and _insanely_ old). You are supposed to do regular full upgrades with non-LTS releases, this is why bash update was not propagated to its repositories. However you can simply go to http://packages.linuxmint.com/search.php?keyword=bashrelease=anysection=any and download .deb package of more recent release from there to install manually. It may work or may not depending on how compatible dependencies are. This a very unpleasant experience you get compared to sticking to LTS or up to date distro but pretty much on the same level as one you normally have in the Windows all the time. And with little time investments it is miles and miles ahead any possible Windows experience you can get even theoretically (speaking exclusively about upgrade/update process here).
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/01/2014 03:19 PM, Brad Roberts via Digitalmars-d-announce wrote: On 10/1/2014 6:41 AM, JN via Digitalmars-d-announce wrote: On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote: Other OSes/distros are likely equally easy. Please, reply with examples to help ensure other people on the same OS/distro as you have no excuse not to update! I find it ironic that it's another big global security hole about which Windows users don't even have to be concerned about. False. All of my windows boxes needed to be updated. One of the first things I do on any new windows box is install cygwin to get a saner development environment with bash as my shell. Yea. I've been very tempted to put bash on my Win desktops as well. Heck, I may even have some old installation of msys/mingw bash still lying around somewhere. I wouldn't be shocked at all if other windows apps bundle bash for one reason or another too. It might not come as part of the base install (though given the huge pile of stuff that gets installed, I wouldn't put huge bets on it not lurking off in a dark corner somewhere), but that's not the end of the story. Yup, Git comes to mind. (Or at least Git GUI?) Don't know whether that actually exposes any attack vectors, but I guess that's kinda the big question everyone's trying to find out, isn't it? What are all the possible attack vectors of this flaw? Some of them have been discovered, but who knows what else there may be.
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/01/2014 02:42 PM, Kagamin wrote: A have linux mint 12 installation with mint4win (wubi), on linux mint forums I was told, that updating from the latest repository won't work. I sympathize: http://www.linuxquestions.org/questions/linux-software-2/how-to-install-enlightenment-on-mint-15-a-4175492936/ That annoyance is why (aside from servers) I've switched to rolling-release distros. In my case, Debian Testing (which, as I've been told by others here, and can personally confirm, is much more stable than it's unfortunately-chosen name would suggest). I picked that one since I'm most familiar with the general Debian family of distros (apt-get and all). But I've heard good things about Arch too and may look into it. FWIW, I don't think all release-based distros are quite as aggressive as Mint with abandoning older releases. Even the super-outdated Debian 6 apparently still has some support via its LTS repos. I suspect Mint may need to do things that way just as a manpower issue. Mint's a popular distro, but I get the impression it's development is a relatively small grassroots thing with much more limited resources than say Debian or Ubuntu. (Of course, I could be wrong.)
Re: [OT Security PSA] Shellshock: Update your bash, now!
On 10/01/2014 01:38 PM, Iain Buclaw via Digitalmars-d-announce wrote: One nice thing about Ubuntu is that they even give you access to future kernel versions through what they call HWE. In short, I can run a 14.04 LTS kernel on a 12.04 server, so that I'm able to use modern hardware and take advantage of software that uses features of Linux that are actively worked on (like LXC) on an older software stack. Is there anything similar in Debian?
Re: [OT Security PSA] Shellshock: Update your bash, now!
On Wednesday, 1 October 2014 at 20:45:14 UTC, Nick Sabalausky wrote: I suspect Mint may need to do things that way just as a manpower issue. Mint's a popular distro, but I get the impression it's development is a relatively small grassroots thing with much more limited resources than say Debian or Ubuntu. (Of course, I could be wrong.) This matches my observations too. It gained lot of popularity when Ubuntu switched to Unity as default desktop environment and Fedora moved with Gnome 3 - quite many users started looking for a distro with more conservative defaults. However its development / maintenance team does not seem to match that popularity burst.
