Security

From BubbaWiki
Revision as of 01:55, 30 September 2014 by BIO (talk | contribs) (Created page with information concerning the infamous Shellshock bug)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


This site lists steps to secure the B3 against vulnerabilities that were discovered after the last official web update (2.6.0.2) was released by Excito.

Shellshock

Introduction

Shellshock (CVE-2014-6271) is the name of a bash bug recently discovered by Stéphane Chazelas that has been existing since roughly 1992. The following code allows testing for this vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will print

vulnerable
this is a test

whereas on a patched system the string vulnerable will not be printed.

While working on the bug, another severe flaw was discovered (CVE-2014-7169). Check for this vulnerability with the following line of code:

env X='() { (a)=>\' sh -c "echo date"; cat echo

CAUTION: A vulnerable system will print the current date and save it in a file called echo.

Fix

MouettE compiled the latest bash from source using the Debian squeeze LTS repository.

The complete file list of the build is as follows:

Install the fixed bash version by running the following commands as root user:

wget http://files.la-mouette.net/bubba/bash_4.1-3+deb6u2_armel.deb
dpkg -i bash_4.1-3+deb6u2_armel.deb

The first command downloads the file marked bold from above, while the second installs the downloaded package.