Re: [OpenIndiana-discuss] Bash bug issue
Which CVE is that, or is it something else? On Oct 6, 2014, at 9:35 PM, Bob Friesenhahn wrote: > The gift keeps on giving. There is yet another related security patch for > bash. Here is the one for bash 4.3: > > http://lists.gnu.org/archive/html/bug-bash/2014-10/msg00040.html > > Bob > -- > Bob Friesenhahn > bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ > GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
The gift keeps on giving. There is yet another related security patch for bash. Here is the one for bash 4.3: http://lists.gnu.org/archive/html/bug-bash/2014-10/msg00040.html Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
These aren't new aspects of the bug. The fact is that default operation of systems using bash as the shell for interpolation with system or for scripts interpreted by bash allows remote code execution by taking strings from untrusted sources (e.g. USER_AGENT in web servers) and passing them through the environment, which allows remote code execution. What you're reporting here is instances of the resulting problem in products matching this description, not fundamental changes to the understanding of the bug. What's been difficult is that Red Hat's security response team and bash upstream initially differed on the scope of the issue and thus patching, as Red Hat believed there were broader problems and that upstream patches were therefore too limited in scope. Red Hat was subsequently shown to be correct. The confusion is that there are a number of CVEs out there, and the patches went out in batches. There are quite a variety of tests proposed for the fully documented CVEs, and some of the CVEs remain embargoed, with Red Hat simply advising that people take patches which bash upstream subsequently accepted. On 6 October 2014 18:58, The Outsider wrote: > Search q-nap & shellshock and you see how deep this goes... > > > On 6 oktober 2014 19:28:00 David Brodbeck wrote: > > On Thu, Oct 2, 2014 at 8:12 AM, Alan Coopersmith < >> alan.coopersm...@oracle.com> wrote: >> >> > On 10/ 2/14 07:00 AM, Brandon Hume wrote: >> > >> >> On many (most? all?) Linuxes, /bin/sh *is* /bin/bash. >> >> >> > >> > Many, but not all - the Debian family and some others use a lighter >> weight, >> > POSIX compatible shell instead, dash, the Debian Almquist Shell; and >> many >> > embedded distros use BusyBox instead. >> > >> > https://en.wikipedia.org/wiki/Almquist_shell >> > http://lwn.net/Articles/343924/ >> >> >> >> A big driver of this was faster boot, since boot scripts run on /bin/sh. >> On some systems the startup time for all those bash processes was a >> considerable portion of the total boot time. >> >> Note: It's not enough to make sure no CGI scripts are being run with >> /bin/bash. You also need to make sure no bash processes are being >> launched >> by other scripts, since many scripting languages launch a shell to run >> external commands. Unless the environment is explicitly cleared these are >> likely to inherit the environment of the calling process, with all the >> nasties in it. >> >> -- >> D. Brodbeck >> System Administrator, Linguistics >> University of Washington >> GPG key fingerprint: 0DB7 4B50 8910 DBC5 B510 79C4 3970 2BC3 2078 D875 >> ___ >> openindiana-discuss mailing list >> openindiana-discuss@openindiana.org >> http://openindiana.org/mailman/listinfo/openindiana-discuss >> > > > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Search q-nap & shellshock and you see how deep this goes... On 6 oktober 2014 19:28:00 David Brodbeck wrote: On Thu, Oct 2, 2014 at 8:12 AM, Alan Coopersmith < alan.coopersm...@oracle.com> wrote: > On 10/ 2/14 07:00 AM, Brandon Hume wrote: > >> On many (most? all?) Linuxes, /bin/sh *is* /bin/bash. >> > > Many, but not all - the Debian family and some others use a lighter weight, > POSIX compatible shell instead, dash, the Debian Almquist Shell; and many > embedded distros use BusyBox instead. > > https://en.wikipedia.org/wiki/Almquist_shell > http://lwn.net/Articles/343924/ A big driver of this was faster boot, since boot scripts run on /bin/sh. On some systems the startup time for all those bash processes was a considerable portion of the total boot time. Note: It's not enough to make sure no CGI scripts are being run with /bin/bash. You also need to make sure no bash processes are being launched by other scripts, since many scripting languages launch a shell to run external commands. Unless the environment is explicitly cleared these are likely to inherit the environment of the calling process, with all the nasties in it. -- D. Brodbeck System Administrator, Linguistics University of Washington GPG key fingerprint: 0DB7 4B50 8910 DBC5 B510 79C4 3970 2BC3 2078 D875 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] TUN driver for AMD64 machine running Openidiana
The SFE version isn't the latest version. But it works out-of-the-box. Compiling the latest version from openvpn sources should be possible. You can then copy the new version over the SFE version i guess. This shouldn't break the SMF paths. On 6 oktober 2014 14:38:00 Jonathan Adams wrote: root@jadlaptop:~# pkg publisher PUBLISHER TYPE STATUS P LOCATION openindiana.org origin online F http://pkg.openindiana.org/hipster-2014.1/ jds.openindiana.org (non-sticky, disabled) origin online F http://opensolaris.cz:1/ sfe-encumbered origin online F http://pkg.openindiana.org/sfe-encumbered/ sfe(non-sticky) origin online F http://pkg.openindiana.org/sfe/ localhost (non-sticky, disabled) origin online F http://localhost:1/ root@jadlaptop:~# pkg list | grep tuntap system/network/tuntap (sfe) 1.3.2.0.0.1-0.151.1.9 i-- On 6 October 2014 12:48, Marc Lobelle wrote: > On 06/10/14 13:03, Jonathan Adams wrote: > >> I have the OpenVPN package installed from the sfe repository, that >> includes >> the tuntap from sfe ... >> >> works fine on hipster. >> >> Jon >> > I had installed the opencsw version but apparently no tuntap in there. > What is the url to get the sfe package ? > > Thanks > > Marc > > >> >> On 6 October 2014 11:42, Marc Lobelle wrote: >> >> Hi, >>> I would like to connect an openindiana machine (AMD64) with openvpn over >>> TUN. Does anybody of you know were i can get a precompiled TUN driver for >>> openindiana ? I'm certainly not the first needing this. >>> >>> Thanks >>> >>> Marc >>> >>> >>> ___ >>> openindiana-discuss mailing list >>> openindiana-discuss@openindiana.org >>> http://openindiana.org/mailman/listinfo/openindiana-discuss >>> >>> ___ >> openindiana-discuss mailing list >> openindiana-discuss@openindiana.org >> http://openindiana.org/mailman/listinfo/openindiana-discuss >> > > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
There are a lot of tools depending on bash. Including virusscanners and spamfilters. The openCSW bash installs into another directory then the "real"/old bash. How can you change the old bash with the openCSW bash? I saw that solaris 11.2 supports a lot of (old) sparc hardware. And most of the ever produced X86 servers. Supportcontracts are reasonable priced i think. Aspecialy in this situation... On 6 oktober 2014 19:28:00 David Brodbeck wrote: On Thu, Oct 2, 2014 at 8:12 AM, Alan Coopersmith < alan.coopersm...@oracle.com> wrote: > On 10/ 2/14 07:00 AM, Brandon Hume wrote: > >> On many (most? all?) Linuxes, /bin/sh *is* /bin/bash. >> > > Many, but not all - the Debian family and some others use a lighter weight, > POSIX compatible shell instead, dash, the Debian Almquist Shell; and many > embedded distros use BusyBox instead. > > https://en.wikipedia.org/wiki/Almquist_shell > http://lwn.net/Articles/343924/ A big driver of this was faster boot, since boot scripts run on /bin/sh. On some systems the startup time for all those bash processes was a considerable portion of the total boot time. Note: It's not enough to make sure no CGI scripts are being run with /bin/bash. You also need to make sure no bash processes are being launched by other scripts, since many scripting languages launch a shell to run external commands. Unless the environment is explicitly cleared these are likely to inherit the environment of the calling process, with all the nasties in it. -- D. Brodbeck System Administrator, Linguistics University of Washington GPG key fingerprint: 0DB7 4B50 8910 DBC5 B510 79C4 3970 2BC3 2078 D875 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On Thu, Oct 2, 2014 at 8:12 AM, Alan Coopersmith < alan.coopersm...@oracle.com> wrote: > On 10/ 2/14 07:00 AM, Brandon Hume wrote: > >> On many (most? all?) Linuxes, /bin/sh *is* /bin/bash. >> > > Many, but not all - the Debian family and some others use a lighter weight, > POSIX compatible shell instead, dash, the Debian Almquist Shell; and many > embedded distros use BusyBox instead. > > https://en.wikipedia.org/wiki/Almquist_shell > http://lwn.net/Articles/343924/ A big driver of this was faster boot, since boot scripts run on /bin/sh. On some systems the startup time for all those bash processes was a considerable portion of the total boot time. Note: It's not enough to make sure no CGI scripts are being run with /bin/bash. You also need to make sure no bash processes are being launched by other scripts, since many scripting languages launch a shell to run external commands. Unless the environment is explicitly cleared these are likely to inherit the environment of the calling process, with all the nasties in it. -- D. Brodbeck System Administrator, Linguistics University of Washington GPG key fingerprint: 0DB7 4B50 8910 DBC5 B510 79C4 3970 2BC3 2078 D875 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
On 06/10/2014 14:54, Cal Sawyer wrote: ... If the only solutions being offered after nearly 2 weeks are a) use ksh because bash is somehow inferior (shades of "csh-is-deterimental") or 2. rebuild bash youself from source, i'd have to say that imho it's the polar opposite and this appears to be confirmed in Andreas's post. The simple fact is: The /dev maintainer(s?) seem to have silently resigned without handing over the keys So no one is left who actually can apply and distribute the patch (which shouldn't be that difficult, as it's only one package); the /hipster community up to now has served only itself for the purpose of porting the complete OI userland to gcc, and now, as the pressure is rising, is trying to reorganise to take over /dev to actually make stable and useable production releases. This will take time, but I'm completely with you that a patch for /dev/ should be made available as fast as possible, so the very first task is to actually get access to the /dev/ infrastructure to get at least something started. -- Dr.Udo Grabowski Inst.f.Meteorology & Climate Research IMK-ASF-SAT http://www.imk-asf.kit.edu/english/sat.php KIT - Karlsruhe Institute of Technology http://www.kit.edu Postfach 3640,76021 Karlsruhe,Germany T:(+49)721 608-26026 F:-926026 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
Per openindiana.org: "OpenIndiana is a robust enterprise operating system" If the only solutions being offered after nearly 2 weeks are a) use ksh because bash is somehow inferior (shades of "csh-is-deterimental") or 2. rebuild bash youself from source, i'd have to say that imho it's the polar opposite and this appears to be confirmed in Andreas's post. OmniOS had, as did virtually world+dog, a patch out the day after the bug was announced - which is consistent with a/proper/ distribution, and it's where i'm going now - cal sawyer (on oi_151a8) 2014-10-03 11:55 GMT+02:00 Andreas Wacknitz: What most people don?t understand is that OpenIndiana is YOURS. OpenIndiana is just a name with no company behind. If you want something and nobody else is doing it then do it by yourself. So instead of taking notes you should start acting. I know. But it looks like openindiana at the moment hasn't got the community momentum necessary to keep up with security issues. No blame to anyone, but one has to keep it into account if using in a production environment. -- Frank Van Damme Make everything as simple as possible, but not simpler. - Albert Einstein ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] TUN driver for AMD64 machine running Openidiana
root@jadlaptop:~# pkg publisher PUBLISHER TYPE STATUS P LOCATION openindiana.org origin online F http://pkg.openindiana.org/hipster-2014.1/ jds.openindiana.org (non-sticky, disabled) origin online F http://opensolaris.cz:1/ sfe-encumbered origin online F http://pkg.openindiana.org/sfe-encumbered/ sfe(non-sticky) origin online F http://pkg.openindiana.org/sfe/ localhost (non-sticky, disabled) origin online F http://localhost:1/ root@jadlaptop:~# pkg list | grep tuntap system/network/tuntap (sfe) 1.3.2.0.0.1-0.151.1.9 i-- On 6 October 2014 12:48, Marc Lobelle wrote: > On 06/10/14 13:03, Jonathan Adams wrote: > >> I have the OpenVPN package installed from the sfe repository, that >> includes >> the tuntap from sfe ... >> >> works fine on hipster. >> >> Jon >> > I had installed the opencsw version but apparently no tuntap in there. > What is the url to get the sfe package ? > > Thanks > > Marc > > >> >> On 6 October 2014 11:42, Marc Lobelle wrote: >> >> Hi, >>> I would like to connect an openindiana machine (AMD64) with openvpn over >>> TUN. Does anybody of you know were i can get a precompiled TUN driver for >>> openindiana ? I'm certainly not the first needing this. >>> >>> Thanks >>> >>> Marc >>> >>> >>> ___ >>> openindiana-discuss mailing list >>> openindiana-discuss@openindiana.org >>> http://openindiana.org/mailman/listinfo/openindiana-discuss >>> >>> ___ >> openindiana-discuss mailing list >> openindiana-discuss@openindiana.org >> http://openindiana.org/mailman/listinfo/openindiana-discuss >> > > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] TUN driver for AMD64 machine running Openidiana
On 06/10/14 13:03, Jonathan Adams wrote: I have the OpenVPN package installed from the sfe repository, that includes the tuntap from sfe ... works fine on hipster. Jon I had installed the opencsw version but apparently no tuntap in there. What is the url to get the sfe package ? Thanks Marc On 6 October 2014 11:42, Marc Lobelle wrote: Hi, I would like to connect an openindiana machine (AMD64) with openvpn over TUN. Does anybody of you know were i can get a precompiled TUN driver for openindiana ? I'm certainly not the first needing this. Thanks Marc ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] TUN driver for AMD64 machine running Openidiana
I have the OpenVPN package installed from the sfe repository, that includes the tuntap from sfe ... works fine on hipster. Jon On 6 October 2014 11:42, Marc Lobelle wrote: > Hi, > I would like to connect an openindiana machine (AMD64) with openvpn over > TUN. Does anybody of you know were i can get a precompiled TUN driver for > openindiana ? I'm certainly not the first needing this. > > Thanks > > Marc > > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] TUN driver for AMD64 machine running Openidiana
On 10/ 6/14 12:42 PM, Marc Lobelle wrote: Hi, I would like to connect an openindiana machine (AMD64) with openvpn over TUN. Does anybody of you know were i can get a precompiled TUN driver for openindiana ? I'm certainly not the first needing this. Thanks Marc Hi Marc, for /dev pkg:/system/network/tuntap for /hipster pkg:/driver/network/tun pkg:/driver/network/header-tun Regards. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss -- Predrag Zečević, Technical Support Analyst, 2e Systems GmbH Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894 Mobile:+49 174 3109 288, Skype: predrag.zecevic E-mail:predrag.zece...@2e-systems.com Headquarter: 2e Systems GmbH, Königsteiner Str. 87, 65812 Bad Soden am Taunus, Germany Company registration: Amtsgericht Königstein (Germany), HRB 7303 Managing director:Phil Douglas http://www.2e-systems.com/ - Making your business fly! [***]===--- Logic doesn't apply to the real world. -- Marvin Minsky ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] TUN driver for AMD64 machine running Openidiana
Hi, I would like to connect an openindiana machine (AMD64) with openvpn over TUN. Does anybody of you know were i can get a precompiled TUN driver for openindiana ? I'm certainly not the first needing this. Thanks Marc ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
2014-10-06 9:31 GMT+02:00 Frank Van Damme : > 2014-10-03 11:55 GMT+02:00 Andreas Wacknitz : > >> What most people don’t understand is that OpenIndiana is YOURS. >> OpenIndiana is just a name with no company behind. >> If you want something and nobody else is doing it then do it by yourself. >> So instead of taking notes you should start acting. > > > > I know. But it looks like openindiana at the moment hasn't got the > community momentum necessary to keep up with security issues. No blame to > anyone, but one has to keep it into account if using in a production > environment. > FYI, OpenCSW seems to have a more current Bash version on board: http://www.opencsw.org/package/bash/ -- Frank Van Damme Make everything as simple as possible, but not simpler. - Albert Einstein ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Bash bug issue
2014-10-03 11:55 GMT+02:00 Andreas Wacknitz : > What most people don’t understand is that OpenIndiana is YOURS. > OpenIndiana is just a name with no company behind. > If you want something and nobody else is doing it then do it by yourself. > So instead of taking notes you should start acting. I know. But it looks like openindiana at the moment hasn't got the community momentum necessary to keep up with security issues. No blame to anyone, but one has to keep it into account if using in a production environment. -- Frank Van Damme Make everything as simple as possible, but not simpler. - Albert Einstein ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
