Security
This site lists steps to secure the B3 against vulnerabilities that were discovered after the last official web update (2.6.0.2) was released by Excito.
Shellshock
Introduction
Shellshock (CVE-2014-6271) is the name of a bash bug recently discovered by Stéphane Chazelas that has been existing since roughly 1992. The following code allows testing for this vulnerability:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
A vulnerable system will print
vulnerable this is a test
whereas on a patched system the string vulnerable will not be printed.
While working on the bug, another severe flaw was discovered (CVE-2014-7169). Check for this vulnerability with the following line of code:
env X='() { (a)=>\' sh -c "echo date"; cat echo
CAUTION: A vulnerable system will print the current date and save it in a file called echo.
Fix
MouettE compiled the latest bash from source using the Debian squeeze LTS repository.
The complete file list of the build is as follows:
- bash_4.1-3+deb6u2_armel.deb
- bash-builtins_4.1-3+deb6u2_armel.deb
- bash-doc_4.1-3+deb6u2_all.deb
- bash-static_4.1-3+deb6u2_armel.deb
- bash_4.1-3+deb6u2.diff.gz
- bash_4.1-3+deb6u2.dsc
- bash_4.1-3+deb6u2_armel.changes
- bash_4.1.orig.tar.gz
Install the fixed bash version by running the following commands as root user:
wget http://files.la-mouette.net/bubba/bash_4.1-3+deb6u2_armel.deb dpkg -i bash_4.1-3+deb6u2_armel.deb
The first command downloads the file marked bold from above, while the second installs the downloaded package.