Author Topic: CVE-2014-6271 BASH Vulnerability  (Read 1081 times)

0 Members and 1 Guest are viewing this topic.

Offline Toruk Makto

  • LearnNavi Admin
  • Toruk Makto
  • Palulukan Makto
  • *****
  • *
  • Posts: 6118
  • nv Eywa'eveng
  • Karma: 215
  • . Txepsiyu Markì .
    • Learn Na'vi
CVE-2014-6271 BASH Vulnerability
« on: September 25, 2014, 04:13:16 pm »
There is a new exploited vulnerability of the bash unix shell. You can go read more about it at
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Note that the LN server has been patched.

Irayo!

-M.

Lì’fyari leNa’vi ’Rrtamì, vay set ’almong a fra’u zera’u ta ngrrpongu
Na'vi Dictionary: http://files.learnnavi.org/dicts/NaviDictionary.pdf

Offline Wllìm

  • Taronyu
  • ****
  • Posts: 523
  • nl Netherlands
  • Karma: 47
    • Wimiso (weptsenge oeyä)
Re: CVE-2014-6271 BASH Vulnerability
« Reply #1 on: September 25, 2014, 04:33:30 pm »
+1 Irayo! It is great to see such a fast response... :D

For my home computer, I'm still waiting for a bash update from my distro... :-X
Stress practiceNoun declensionsVerb infixes •  Weather forecasts in Na'viKDE nìNa'viMy Na'vi blog
Seykxel sì nitram! Ngal rolun fì'upxaret aketsuktse'a! :D

Online Vawmataw

  • Palulukan Makto
  • *****
  • *
  • Posts: 6152
  • nv Eywa'eveng
  • Karma: 99
Re: CVE-2014-6271 BASH Vulnerability
« Reply #2 on: September 25, 2014, 04:46:03 pm »
Tìzeykusori irayo!

Offline Tirea Aean

  • The Blue One
  • Olo'eyktan Anawm
  • Palulukan Makto
  • *****
  • *
  • *
  • *
  • Posts: 9891
  • nv Eywa'eveng
  • Karma: 243
  • Oeri ran lu srung
    • Tirea Aean
Re: CVE-2014-6271 BASH Vulnerability
« Reply #3 on: September 25, 2014, 05:23:10 pm »
through/including Bash 4.3.. hmmm

I'm running:

*Mac:GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Arch Linux on Chromebook:GNU bash, version 4.3.24(1)-release (armv7l-unknown-linux-gnueabinhf)
Chrome OS:GNU bash, version 4.2.45(1)-release (armv7a-cros-linux-gnueabi)
Ubuntu Server [vm]:GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
Ubuntu Desktop [vm]:GNU bash, version 4.1.5(1)-release (x86_64-pc-liunx-gnu)
RHEL 7 (UMBC):GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
*Fedora Server:GNU bash, version 4.2.37(1)-release (i686-redhat-linux-gnu)
(but the default shell at UMBC is actually tcsh)

Looks like the starred things I'm running are the only still currently vulnerable.

You can check if you're vulnerable by running this command in a bash terminal:

env x='(){ :; }; echo vulnerable' bash -c 'echo hello'

If you get:

vulnerable
hello


then you're vulnerable by this hack.
« Last Edit: September 25, 2014, 05:28:16 pm by Tirea Aean »

kelku ikranä a hawnventi yom podcast (na'vi-only): https://tirearadio.com/podcast
Learn Na'vi Discord Chat: https://discord.gg/WF6qcmv

Offline Tìtstewan

  • LearnNavi Zeykoyu
  • Toruk Makto
  • Palulukan Makto
  • *****
  • *
  • *
  • Posts: 9839
  • de Germany
  • Karma: 324
  • Ke lu oeru kea krr krrtalun!
    • My YouTube Channel
Re: CVE-2014-6271 BASH Vulnerability
« Reply #4 on: September 25, 2014, 05:27:10 pm »
Irayo! :D

Ma Tirea, eltur tìtxen si! I should take a look at my Kubuntu in my VM...

-| Dict-Na'vi.com | Na'viteri Files | FAQ | LM | Puk Pxaw 'Rrta | Kem si fu kem rä'ä si, ke lu tìfmi. |-

Online Vawmataw

  • Palulukan Makto
  • *****
  • *
  • Posts: 6152
  • nv Eywa'eveng
  • Karma: 99
Re: CVE-2014-6271 BASH Vulnerability
« Reply #5 on: September 25, 2014, 05:29:53 pm »
You can check, but Fwa lu kxuke ke fkeytok.

Offline Tirea Aean

  • The Blue One
  • Olo'eyktan Anawm
  • Palulukan Makto
  • *****
  • *
  • *
  • *
  • Posts: 9891
  • nv Eywa'eveng
  • Karma: 243
  • Oeri ran lu srung
    • Tirea Aean
Re: CVE-2014-6271 BASH Vulnerability
« Reply #6 on: September 25, 2014, 05:31:41 pm »
Absolute guarantee of safety or impossibility of any hack indeed doesn't exist, which is basically the obvious fact of using computer technology.

But. With each patch, you are that much less vulnerable than you were before. Which is at least some form of improvement.

kelku ikranä a hawnventi yom podcast (na'vi-only): https://tirearadio.com/podcast
Learn Na'vi Discord Chat: https://discord.gg/WF6qcmv

Offline Tìtstewan

  • LearnNavi Zeykoyu
  • Toruk Makto
  • Palulukan Makto
  • *****
  • *
  • *
  • Posts: 9839
  • de Germany
  • Karma: 324
  • Ke lu oeru kea krr krrtalun!
    • My YouTube Channel
Re: CVE-2014-6271 BASH Vulnerability
« Reply #7 on: September 25, 2014, 05:34:29 pm »
Does Android has this too? (as it based on Linux?)

-| Dict-Na'vi.com | Na'viteri Files | FAQ | LM | Puk Pxaw 'Rrta | Kem si fu kem rä'ä si, ke lu tìfmi. |-

Offline Tirea Aean

  • The Blue One
  • Olo'eyktan Anawm
  • Palulukan Makto
  • *****
  • *
  • *
  • *
  • Posts: 9891
  • nv Eywa'eveng
  • Karma: 243
  • Oeri ran lu srung
    • Tirea Aean
Re: CVE-2014-6271 BASH Vulnerability
« Reply #8 on: September 25, 2014, 06:15:58 pm »
Does Android has this too? (as it based on Linux?)

I just tried on my Nexus 5 from adb to find bash.

Turns out Android doesn't even have bash installed. It just has /system/bin/sh
So looks like Android is not affected.

EDIT: and at that, it's a VERY limited version of mksh made for Android. Which makes sense. Yes, Android runs on the Linux kernel, but the user doesn't need access to a full system shell.
« Last Edit: September 25, 2014, 06:20:09 pm by Tirea Aean »

kelku ikranä a hawnventi yom podcast (na'vi-only): https://tirearadio.com/podcast
Learn Na'vi Discord Chat: https://discord.gg/WF6qcmv

Offline Blue Elf

  • Palulukan Makto
  • *****
  • *
  • *
  • Posts: 5499
  • cz Czech Republic
  • Karma: 112
    • My attempt for blog
Re: CVE-2014-6271 BASH Vulnerability
« Reply #9 on: September 26, 2014, 02:13:45 pm »
Absolute guarantee of safety or impossibility of any hack indeed doesn't exist, which is basically the obvious fact of using computer technology.
It exists. If your computer is not networked and you do not use any removable media, not many people can hack it. :)
But I'm not sure if such PC exists.
Certification authorities are near to this state (no network), but they still need to use removable medias - as certificate requests must be somehow delivered  to the authority.
Oe lu skxawng skxakep. Slä oe nerume mi.
"Oe tasyätxaw ulte koren za'u oehu" (Limonádový Joe)


Offline Tirea Aean

  • The Blue One
  • Olo'eyktan Anawm
  • Palulukan Makto
  • *****
  • *
  • *
  • *
  • Posts: 9891
  • nv Eywa'eveng
  • Karma: 243
  • Oeri ran lu srung
    • Tirea Aean
Re: CVE-2014-6271 BASH Vulnerability
« Reply #10 on: September 26, 2014, 02:41:58 pm »
Who in this day in age actually uses such a configuration? That's not just realistic. So that aside, I guess what I said still stands. The best we can do, without kidding ourselves, is make systems that are very very difficult to crack, but surely there will be some wiseguy who cracks it eventually. How many pieces of software are written once and are SO good that they never change version? I think none that are serious pieces of software.

kelku ikranä a hawnventi yom podcast (na'vi-only): https://tirearadio.com/podcast
Learn Na'vi Discord Chat: https://discord.gg/WF6qcmv

Offline `Eylan Ayfalulukanä

  • Palulukan Makto
  • *****
  • *
  • *
  • Posts: 4757
  • us United States
  • Karma: 44
  • Palulukan alu Kenya 06/23/1996 - 01/15/2017
    • The Lionlamb website
Re: CVE-2014-6271 BASH Vulnerability
« Reply #11 on: September 27, 2014, 03:31:01 am »
We had a system here for many years that ran VMS, simply because it was 1.) close to hackproof and 2.) few, if anybody used it at that time. This computer was also completely standalone, even though it would connect with the thinnet system we then had. This security was necessary because this system, if misused, could unlock or lock many of the consumer TV set-top boxes in use at the time, anywhere in the country.

Yawey ngahu!
pamrel si ro [email protected]

 

Become LearnNavi's friend on Facebook Follow LearnNavi on Twitter! Watch LearnNavi's videos on YouTube

SMF 2.0.15 | SMF © 2017, Simple Machines
Privacy Policy
| XHTML | RSS | WAP2 | Site Rules

LearnNavi is not affiliated with the official Avatar website,
James Cameron, LightStorm Entertainment or The Walt Disney Company.
All trademarks and servicemarks are the properties of their respective owners.
Images in the LearnNavi.org Forums and Gallery may not be used without permission.

LearnNavi Affiliates:
ToS

LearnNavi is the community to learn Na'vi, the Avatar Language
"A place where real friendships are made." -Paul Frommer

AvatarMeet | Learn Na'vi Forum | Learn Na'vi Wiki | Na'viteri

LearnNavi