Re: [OpenIndiana-discuss] Bash bug issue
On 9/27/14, 1:59 AM, Nemo wrote: > On 26 September 2014 19:44, Saso Kiselkov wrote: >> On 9/27/14, 1:41 AM, Nemo wrote: > [...] >>> Whence does the OI bash source originate? On the bash that comes with >>> Solaris 10, the vulnerability is not present: >>> >>> [~]=> bash --version >>> GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10) >>> Copyright (C) 2004 Free Software Foundation, Inc. >>> [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" >>> completed >> >> In general, bash != /bin/sh on either Solaris or Illumos-derived >> systems. Rerun the env test with bash instead of /bin/sh. > > [~]=> echo $SHELL > /bin/bash > [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" > completed > > Note that I put bash into /bin to avoid GNUisms. The invoking shell is irrelevant. Here's your problem: vvv env X="() { :;} ; echo busted" /bin/sh -c "echo completed" ^^^ Put bash in there and you'll get a vulnerable "busted" result. -- Saso ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 09/26/14 16:59, Nemo wrote: > [~]=> echo $SHELL > /bin/bash > [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" > completed > > Note that I put bash into /bin to avoid GNUisms. Try: $ env X="() { :;} ; echo busted" /bin/bash -c "echo completed" ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 26 September 2014 19:47, Gary Gendel wrote: > The current maintainer says it's been in bash for ~20 years, why it's not in > Solaris 10 is a mystery. If you which files, I can dig out the source from the companion disc and compare. N. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 26 September 2014 19:44, Saso Kiselkov wrote: > On 9/27/14, 1:41 AM, Nemo wrote: [...] >> Whence does the OI bash source originate? On the bash that comes with >> Solaris 10, the vulnerability is not present: >> >> [~]=> bash --version >> GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10) >> Copyright (C) 2004 Free Software Foundation, Inc. >> [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" >> completed > > In general, bash != /bin/sh on either Solaris or Illumos-derived > systems. Rerun the env test with bash instead of /bin/sh. [~]=> echo $SHELL /bin/bash [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" completed Note that I put bash into /bin to avoid GNUisms. N. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
The current maintainer says it's been in bash for ~20 years, why it's not in Solaris 10 is a mystery. On 9/26/14, 7:41 PM, Nemo wrote: On 26 September 2014 17:02, Harry Putnam wrote: Gary Gendel writes: I believe we mostly skirt the issue because, unlike Linux, the default shell (/bin/sh) is ksh93 not bash. This means that under normal conditions we shouldn't have an issue. Only if your cgi scripts actually request bash will apache be a problem. As for ssh, it depends upon the login shell for the user. So, do you mean that ksh93 does not have the vulnerability? Whence does the OI bash source originate? On the bash that comes with Solaris 10, the vulnerability is not present: [~]=> bash --version GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10) Copyright (C) 2004 Free Software Foundation, Inc. [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" completed N. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 9/27/14, 1:41 AM, Nemo wrote: > On 26 September 2014 17:02, Harry Putnam wrote: >> Gary Gendel writes: >> >>> I believe we mostly skirt the issue because, unlike Linux, the default >>> shell (/bin/sh) is ksh93 not bash. This means that under normal >>> conditions we shouldn't have an issue. Only if your cgi scripts >>> actually request bash will apache be a problem. As for ssh, it >>> depends upon the login shell for the user. >> >> So, do you mean that ksh93 does not have the vulnerability? > > Whence does the OI bash source originate? On the bash that comes with > Solaris 10, > the vulnerability is not present: > > [~]=> bash --version > GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10) > Copyright (C) 2004 Free Software Foundation, Inc. > [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" > completed In general, bash != /bin/sh on either Solaris or Illumos-derived systems. Rerun the env test with bash instead of /bin/sh. -- Saso ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 26 September 2014 17:02, Harry Putnam wrote: > Gary Gendel writes: > >> I believe we mostly skirt the issue because, unlike Linux, the default >> shell (/bin/sh) is ksh93 not bash. This means that under normal >> conditions we shouldn't have an issue. Only if your cgi scripts >> actually request bash will apache be a problem. As for ssh, it >> depends upon the login shell for the user. > > So, do you mean that ksh93 does not have the vulnerability? Whence does the OI bash source originate? On the bash that comes with Solaris 10, the vulnerability is not present: [~]=> bash --version GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10) Copyright (C) 2004 Free Software Foundation, Inc. [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" completed N. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Illumos KMF
On 09/26/14 04:53 PM, Alexander Pyhalov wrote: On 09/26/2014 18:39, Nikola M. wrote: Are you actually sure you know what you need to be tested? No, this is why I'm asking. I'd like to update mozilla-nss and nspr and like to see what can be affected. And, honestly, if the question is "should we deliver out of date and vulnerable nss/nspr or break something which nobody uses", I'd prefer the later. How do you know "nobody uses" . You woke one day and decided it is like that or you think posting on mailing list is true measurement of usage of what seems like core functionality for some uses? (Certificate Authority and managing keys certainly sounds like that) In this case I don't think that it will be broken, mozilla nss/nspr libraries have good compatibility. Besides this, OmniOS has already updated them. But I just like to test it somehow. True, let us learn how to use it, how to test it, how to test it and use it after changes and all that without pretext of "just remove it". It is commendable to ask people to react, but there must to be some better process around it, like forming and then contacting team(s) etc. There are many better ways of getting usage statistics but this. How like some preinstalled package that measure usage of commands as a service? (too intrusive?) Or simply looking at IPS installation statistics from /dev Publisher (as opposed to /hipster publisher where I suppose not many people use on production machines, but on laptops and for testing etc.). ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Gary Gendel writes: > I believe we mostly skirt the issue because, unlike Linux, the default > shell (/bin/sh) is ksh93 not bash. This means that under normal > conditions we shouldn't have an issue. Only if your cgi scripts > actually request bash will apache be a problem. As for ssh, it > depends upon the login shell for the user. So, do you mean that ksh93 does not have the vulnerability? ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Illumos KMF
On 09/26/2014 18:39, Nikola M. wrote: On 09/26/14 10:02 AM, Alexander Pyhalov wrote: Hello. Hello. Are you actually sure you know what you need to be tested? No, this is why I'm asking. I'd like to update mozilla-nss and nspr and like to see what can be affected. And, honestly, if the question is "should we deliver out of date and vulnerable nss/nspr or break something which nobody uses", I'd prefer the later. In this case I don't think that it will be broken, mozilla nss/nspr libraries have good compatibility. Besides this, OmniOS has already updated them. But I just like to test it somehow. -- Best regards, Alexander Pyhalov, system administrator of Southern Federal University IT department ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] [oi-dev] Apache OpenOffice package
On 09/26/14 09:59 AM, Dave Koelmeyer wrote: Any pointers as to what's going on here? Certainly during the wait for the app there is no apparent heavy HDD activity at least Seems like we all need to learn how to use Dtrace probes to debug system and see what component is doing what and for how long. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Illumos KMF
On 09/26/14 10:02 AM, Alexander Pyhalov wrote: Hello. I'd like to update mozilla-nss and mozilla-nspr in OI /hipster. However, it can affect illumos KMF (Key Management Framework) http://docs.oracle.com/cd/E18752_01/html/816-4557/kmf-1.html . Does someone uses it? Does someone know how to test it? One question on mailing list is not enough to measure if and who uses what part of the system. If you remove some important part of the system that makes it incompatible with previous ways of doing things, you must be sure o have procedures and commands that replace functionality and explain how that affect current applications compatibility. It needs to be documented somewhere, how to migrate from current state of using something to new state, how new tools are used comparing to previous, what to do in cases where compatibility is needed . Making distribution is not just hop-la "let's change something" "asking huh is someone using it? - 5 seconds before we chop it off" . All that "rolling release" way of dealing things is bad excuse for having something almost unmanageable unmaintainable, unsupportable and useless for the production use. Unfortunately bad practices of not having even versioned releases from illumos and also not having exact data to steer and plan distribution's way, but with asking questions on mailing list on random moments, make it's way to Openindiana and other distros. Are you actually sure you know what you need to be tested? ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Illumos KMF
On 09/26/14 10:35 AM, Carsten Grzemba wrote: The main tools are certutil and pk12util to manage the cert8.db and key3.db's, which still used by firefox and Co. I guess the tools for managing the hardware encryption of Sparc Systems is not of interest here. The most of OSS use OpenSSL. Using hardware encryption on SPARC is one of the most valuable things on SPARC platform. There are patches in SunSSH that support SPARC hardware encryption. SPARC is supported on illumos and I see no reason for distributions to loose SPARC support. Not integrating support support for SPARC hardware encryption, could be disastrous to SPARC support, as it was disastrous for x86 support in 90s and in part of 2000s. Better supporting SPARC is one of bigger benefits for illumos distributions in comparison to other platforms. With this rate of removing options, technologies and benefits from illumos distributions, we might be left with bare bone distros that are worth nothing better then some XY Linux distro in the wild. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Illumos KMF
The main tools are certutil and pk12util to manage the cert8.db and key3.db's, which still used by firefox and Co. I guess the tools for managing the hardware encryption of Sparc Systems is not of interest here. The most of OSS use OpenSSL. Am 26.09.14 schrieb Alexander Pyhalov : > Hello. > I'd like to update mozilla-nss and mozilla-nspr in OI /hipster. > However, it can affect illumos KMF (Key Management Framework) > http://docs.oracle.com/cd/E18752_01/html/816-4557/kmf-1.html . > > Does someone uses it? Does someone know how to test it? > -- > Best regards, > Alexander Pyhalov, > system administrator of Southern Federal University IT department > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > > ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Illumos KMF
Hello. I'd like to update mozilla-nss and mozilla-nspr in OI /hipster. However, it can affect illumos KMF (Key Management Framework) http://docs.oracle.com/cd/E18752_01/html/816-4557/kmf-1.html . Does someone uses it? Does someone know how to test it? -- Best regards, Alexander Pyhalov, system administrator of Southern Federal University IT department ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] [oi-dev] Apache OpenOffice package
On 26/08/2014 12:23 a.m., Aurélien Larcher wrote: Hello, nice blog entry :) I just wanted to comment that I have been using the OpenOffice 4.0.1 package since the email was sent to the list and that I did not encounter any issue at all. The startup time is just around 7 seconds on a 3GHz i7 desktop with regular 7.2K SATA drive, which I do not think is that slow. Hi Aurélien, Your times are what I'd expect to see – very strange however, as I'm seeing vastly and consistently longer launch times on my Xeon E3-1220 system – same speed HDD as yours, 8GB RAM, and a fairly bare-bones Hipster install. Launching OpenOffice via Gnome after having logged in and letting the system sit in an idle state for several minutes, it takes 2m45 seconds to see the OpenOffice splash screen. Rebooting the host system and repeating the same, I again see a consistent 2m45s launch time. Subsequent launches of OpenOffice after having run the application once consistently come in at 45s, either launched from the Gnome menu, or launched via double-clicking on an existing ODT file. Any pointers as to what's going on here? Certainly during the wait for the app there is no apparent heavy HDD activity at least. Cheers, Dave -- Dave Koelmeyer http://blog.davekoelmeyer.co.nz ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss