[SAC] [OSGeo] #1412: Remote Code Execution via BASH Vulnerability

OSGeoTrac · September 25, 2014, 12:04am

#1412: Remote Code Execution via BASH Vulnerability
---------------------------+------------------------------------------------
Reporter: darkblueb | Owner: sac@…
Type: task | Status: new
Priority: critical | Milestone:
Component: Systems Admin | Keywords: SAC
---------------------------+------------------------------------------------
thread is here:

http://seclists.org/oss-sec/2014/q3/649

All public-facing OSGeo machines need to be checked for this

--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/1412>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · September 25, 2014, 12:11am

#1412: Remote Code Execution via BASH Vulnerability
---------------------------+------------------------------------------------
Reporter: darkblueb | Owner: sac@…
Type: task | Status: new
Priority: critical | Milestone:
Component: Systems Admin | Keywords: SAC
---------------------------+------------------------------------------------

Comment(by wildintellect):

Fix should be applied to all machines:

{{{
sudo apt-get update
sudo apt-get install bash
}}}

install bash will upgrade the already installed bash, but not accidentally
upgrade anything else that might not be ready for an upgrade.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1412#comment:1>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

Martin_Spott · September 25, 2014, 8:01am

On Thu, Sep 25, 2014 at 12:04:09AM -0000, OSGeo wrote:

All public-facing OSGeo machines need to be checked for this

Already in progress,
Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

neteler · September 25, 2014, 8:02am

On Thu, Sep 25, 2014 at 10:01 AM, Martin Spott <Martin.Spott@mgras.net> wrote:

On Thu, Sep 25, 2014 at 12:04:09AM -0000, OSGeo wrote:

All public-facing OSGeo machines need to be checked for this

Already in progress,

I walked through all machines I know

Markus

PS: Not sure if the lenny etc boxes still get that update (if needed there)

Martin_Spott · September 25, 2014, 8:06am

On Thu, Sep 25, 2014 at 10:02:42AM +0200, Markus Neteler wrote:

On Thu, Sep 25, 2014 at 10:01 AM, Martin Spott <Martin.Spott@mgras.net> wrote:
> On Thu, Sep 25, 2014 at 12:04:09AM -0000, OSGeo wrote:
>
>> All public-facing OSGeo machines need to be checked for this
>
> Already in progress,

I walked through all machines I know

Same here, but ....

PS: Not sure if the lenny etc boxes still get that update (if needed there)

No, as far as I know they won't (I'll check again) - and in order for
the "squeeze" boxes to get it, you need to include the "squeeze-lts"
repository. That's what I'm doing.

Cheers,
Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

OSGeoTrac · September 25, 2014, 8:47am

#1412: Remote Code Execution via BASH Vulnerability
---------------------------+------------------------------------------------
Reporter: darkblueb | Owner: sac@…
Type: task | Status: closed
Priority: critical | Milestone:
Component: Systems Admin | Resolution: fixed
Keywords: SAC |
---------------------------+------------------------------------------------
Changes (by martin):

* status: new => closed
* resolution: => fixed

Comment:

All done - except "tracsvn", which is still Debian 5 (Lenny).

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1412#comment:2>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.