Re: bash update tips for legacy SL4.x for shellshock vulnerability
Hi,
Two new patches have been released after my post on Oct. 2 as
can be found at http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/
bash30-021 02-Oct-2014 22:15 1.7K
bash30-022 05-Oct-2014 19:02 3.4K
(Also for bash-3.1, 3.2, 4.0, 4.1, 4.2, 4.3, totally
six patches have been released for each version so far
for shellshock vulnerability.
regards,
Takashi
On 2014/10/02 20:28, Kaj Niemi wrote:
Hi,
If you're ok with going to a newer bash in your EL4 environment you can rebuild
the one from EL5, it will work as a drop-in replacement.
HTH
Kaj
On 02 Oct 2014, at 14:12, Takashi ichihara wrote:
Hi,
A few SL4.x nodes still exit in our Lab. which will be retired
soon. Following is a tips to update bash of legacy SL4.x for
shellshock vulnerability. (Note: support of SL4.x was ended in 2011)
bash update tips for legacy SL4.x for shellshock vulnerability
Ref.
https://www.centos.org/forums/viewtopic.php?f=10&t=48643
On SL4.4-4.9 (i386 or x86_64), try as follows (at your own risk)
mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo "%_topdir /root/rpmbuild/" > /root/.rpmmacros
rpm -Uvh
http://ftp1.scientificlinux.org/linux/scientific/obsolete/4x/SRPMS/vendor/bash-3.0-27.el4.src.rpm
cd /root/rpmbuild/SOURCES/
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-018
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-019
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-020
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-021
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-022
# edit bash30-017 and change any reference to 3.0.16 to just 3.0 <- can be
omitted.
cd /root/rpmbuild/SPECS/
# edit /root/rpmbuild/SPECS/bash.spec
# 1) uncomment the line %patch16 -p0 -b .016
# 2) edit this line (it is line 4):
# Release: 27%{?dist}.22
# 3) and add where appropriate
# %patch17 -p0 -b .017
# %patch18 -p0 -b .018
# %patch19 -p0 -b .019
# %patch20 -p0 -b .020
# %patch21 -p0 -b .021
# %patch22 -p0 -b .022
# Patch17: bash30-017
# Patch18: bash30-018
# Patch19: bash30-019
# Patch20: bash30-020
# Patch21: bash30-021
# Patch22: bash30-022
rpmbuild -ba bash.spec
# wait to see if it completes cleanly, may take several minutes
# update bash
rpm -Fvh /root/rpmbuild/RPMS/i386/bash-3.0-27.1.i386.rpm or
rpm -Fvh /root/rpmbuild/RPMS/x86_64/bash-3.0-27.1.x86_64.rpm
Of course, it should be better to update to SL5/6/7 and
apply patches (yum update).
Best regards
Takashi Ichihara
Re: bash update tips for legacy SL4.x for shellshock vulnerability
Hi,
If you're ok with going to a newer bash in your EL4 environment you can rebuild
the one from EL5, it will work as a drop-in replacement.
HTH
Kaj
> On 02 Oct 2014, at 14:12, Takashi ichihara
> wrote:
>
> Hi,
>
> A few SL4.x nodes still exit in our Lab. which will be retired
> soon. Following is a tips to update bash of legacy SL4.x for
> shellshock vulnerability. (Note: support of SL4.x was ended in 2011)
>
> bash update tips for legacy SL4.x for shellshock vulnerability
> Ref.
> https://www.centos.org/forums/viewtopic.php?f=10&t=48643
>
> On SL4.4-4.9 (i386 or x86_64), try as follows (at your own risk)
> mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
> echo "%_topdir /root/rpmbuild/" > /root/.rpmmacros
> rpm -Uvh
> http://ftp1.scientificlinux.org/linux/scientific/obsolete/4x/SRPMS/vendor/bash-3.0-27.el4.src.rpm
> cd /root/rpmbuild/SOURCES/
> wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
> wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-018
> wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-019
> wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-020
> # edit bash30-017 and change any reference to 3.0.16 to just 3.0
> cd /root/rpmbuild/SPECS/
> # edit /root/rpmbuild/SPECS/bash.spec
> # 1) uncomment the line %patch16 -p0 -b .016
> # 2) edit this line (it is line 4):
> # Release: 27%{?dist}.1
> # 3) and add where appropriate
> # %patch17 -p0 -b .017
> # %patch18 -p0 -b .018
> # %patch19 -p0 -b .019
> # %patch20 -p0 -b .020
> # Patch17: bash30-017
> # Patch18: bash30-018
> # Patch19: bash30-019
> # Patch20: bash30-020
> rpmbuild -ba bash.spec
> # wait to see if it completes cleanly, may take several minutes
> # update bash
> rpm -Fvh /root/rpmbuild/RPMS/i386/bash-3.0-27.1.i386.rpm or
> rpm -Fvh /root/rpmbuild/RPMS/x86_64/bash-3.0-27.1.x86_64.rpm
>
> Of course, it should be better to update to SL5/6/7 and
> apply patches (yum update).
>
> Best regards
> Takashi Ichihara
bash update tips for legacy SL4.x for shellshock vulnerability
Hi,
A few SL4.x nodes still exit in our Lab. which will be retired
soon. Following is a tips to update bash of legacy SL4.x for
shellshock vulnerability. (Note: support of SL4.x was ended in 2011)
bash update tips for legacy SL4.x for shellshock vulnerability
Ref.
https://www.centos.org/forums/viewtopic.php?f=10&t=48643
On SL4.4-4.9 (i386 or x86_64), try as follows (at your own risk)
mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo "%_topdir /root/rpmbuild/" > /root/.rpmmacros
rpm -Uvh
http://ftp1.scientificlinux.org/linux/scientific/obsolete/4x/SRPMS/vendor/bash-3.0-27.el4.src.rpm
cd /root/rpmbuild/SOURCES/
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-018
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-019
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-020
# edit bash30-017 and change any reference to 3.0.16 to just 3.0
cd /root/rpmbuild/SPECS/
# edit /root/rpmbuild/SPECS/bash.spec
# 1) uncomment the line %patch16 -p0 -b .016
# 2) edit this line (it is line 4):
# Release: 27%{?dist}.1
# 3) and add where appropriate
# %patch17 -p0 -b .017
# %patch18 -p0 -b .018
# %patch19 -p0 -b .019
# %patch20 -p0 -b .020
# Patch17: bash30-017
# Patch18: bash30-018
# Patch19: bash30-019
# Patch20: bash30-020
rpmbuild -ba bash.spec
# wait to see if it completes cleanly, may take several minutes
# update bash
rpm -Fvh /root/rpmbuild/RPMS/i386/bash-3.0-27.1.i386.rpm or
rpm -Fvh /root/rpmbuild/RPMS/x86_64/bash-3.0-27.1.x86_64.rpm
Of course, it should be better to update to SL5/6/7 and
apply patches (yum update).
Best regards
Takashi Ichihara
Re: bash-update
Excerpts from Werf, C.G. van der (Carel)'s message of 2014-09-25 11:16:35 +0200: > Yesterday a lot of yum-updates ran to update to the latest bash-versions. > > Though my /bin/bash was changed last night, and yum.log shows 3.2.33 should > have installed, > # /bin/bash --version still shows 3.2.25 > > Ofcourse, also # strings /bin/bash shows old version number. > > Is this a policy NOT to change version-numbers ? The version of bash has not changed. Only the release number. i.e additional patches ontop of bash version 3.2.25. Run rpm -q --changelog bash | less should give a clue as to patches being applied Steve > > Regards, > Carel -- -- Steve Traylen, CERN IT.
Re: bash-update
On Thu, 2014-09-25 at 09:16 +, Werf, C.G. van der (Carel) wrote:
> Yesterday a lot of yum-updates ran to update to the latest bash-versions.
>
> Though my /bin/bash was changed last night, and yum.log shows 3.2.33 should
> have installed,
> # /bin/bash --version still shows 3.2.25
>
> Ofcourse, also # strings /bin/bash shows old version number.
>
> Is this a policy NOT to change version-numbers ?
It's worth pointing out that there has just been a serious (and possibly
remote!) bash vulnerability which this fixes.
A test is:
env X="() { :;} ; echo vulnerable" /bin/bash -c "echo completed"
My systems were echoing "vulnerable" before the fix but not after.
John
bash-update
Yesterday a lot of yum-updates ran to update to the latest bash-versions. Though my /bin/bash was changed last night, and yum.log shows 3.2.33 should have installed, # /bin/bash --version still shows 3.2.25 Ofcourse, also # strings /bin/bash shows old version number. Is this a policy NOT to change version-numbers ? Regards, Carel
