Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 5 Oct 2014 20:54:14 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code

Sona,

Oh, I didn't realize you actually are with a distro vendor:

"Enea Linux is a Yocto-based Linux distribution targeted for
communication and networking solutions."

Then you do in fact have a valid reason to test for and patch the
individual bugs even when they're no longer security relevant.  My
advice is that if you feel you're a "non-expert" in bash bugs, you
simply apply all bash upstream's patches, and keep adding them to your
package of bash as more upstream patches become available.  You do not
need to issue security advisories (or whatever you normally do when
fixing security vulnerabilities) each time: it's sufficient to do that
once, when you've just included the prefix/suffix patch (bash43-027 or
equivalent).  Once you have bash43-027, further patches to bash are no
different than e.g. the many patches that are issued for VIM (a project
that tends to release hundreds of post-release patches, most of them
non-security).

I hope this helps.

Alexander

On Sun, Oct 05, 2014 at 05:44:15PM +0400, Solar Designer wrote:
> On Sun, Oct 05, 2014 at 10:22:06AM +0000, Sona Sarmadi wrote:
> > I think what most (non-expert) people need is an explanation for each CVE
> 
> No.  Most non-expert people only need to know that they need either the
> prefix/suffix patch included or function imports disabled, preferably in
> a security update from their distro vendor.  This makes the individual
> parser bugs, which got CVEs assigned, irrelevant.
[...]
> > 2) Do we need to apply *all* of these individual bash patches (i.e. bash43-025 through bash43-029)? Even  bash43-027 which is not solving any specific CVE?  Or should we apply 27 or all the others?
> 
> If you choose to build bash from source (why?) rather than simply use
> your distro's security update, [...]
[...]
> > 3) Do you have a script or summary of all tests in one place like  http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 or https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck ? Or maybe these are good enough & reliable? 
> 
> You only need the one-liner test above.  Running tests for the various
> CVEs is a distraction (it's moderately useful e.g. for a distro vendor,
> to see what non-security bugs may need to be patched, but mostly not for
> an end-user or sysadmin).
> 
> Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.