Security

From BubbaWiki
Revision as of 02:55, 30 September 2014 by BIO (Talk | contribs) (Created page with information concerning the infamous Shellshock bug)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


This site lists steps to secure the B3 against vulnerabilities that were discovered after the last official web update (2.6.0.2) was released by Excito.

Shellshock

Introduction

Shellshock (CVE-2014-6271) is the name of a bash bug recently discovered by Stéphane Chazelas that has been existing since roughly 1992. The following code allows testing for this vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will print

vulnerable
this is a test

whereas on a patched system the string vulnerable will not be printed.

While working on the bug, another severe flaw was discovered (CVE-2014-7169). Check for this vulnerability with the following line of code:

env X='() { (a)=>\' sh -c "echo date"; cat echo

CAUTION: A vulnerable system will print the current date and save it in a file called echo.

Fix

MouettE compiled the latest bash from source using the Debian squeeze LTS repository.

The complete file list of the build is as follows:

Install the fixed bash version by running the following commands as root user:

wget http://files.la-mouette.net/bubba/bash_4.1-3+deb6u2_armel.deb
dpkg -i bash_4.1-3+deb6u2_armel.deb

The first command downloads the file marked bold from above, while the second installs the downloaded package.