Date: Sun, 5 Oct 2014 20:54:14 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona, Oh, I didn't realize you actually are with a distro vendor: "Enea Linux is a Yocto-based Linux distribution targeted for communication and networking solutions." Then you do in fact have a valid reason to test for and patch the individual bugs even when they're no longer security relevant. My advice is that if you feel you're a "non-expert" in bash bugs, you simply apply all bash upstream's patches, and keep adding them to your package of bash as more upstream patches become available. You do not need to issue security advisories (or whatever you normally do when fixing security vulnerabilities) each time: it's sufficient to do that once, when you've just included the prefix/suffix patch (bash43-027 or equivalent). Once you have bash43-027, further patches to bash are no different than e.g. the many patches that are issued for VIM (a project that tends to release hundreds of post-release patches, most of them non-security). I hope this helps. Alexander On Sun, Oct 05, 2014 at 05:44:15PM +0400, Solar Designer wrote: > On Sun, Oct 05, 2014 at 10:22:06AM +0000, Sona Sarmadi wrote: > > I think what most (non-expert) people need is an explanation for each CVE > > No. Most non-expert people only need to know that they need either the > prefix/suffix patch included or function imports disabled, preferably in > a security update from their distro vendor. This makes the individual > parser bugs, which got CVEs assigned, irrelevant. [...] > > 2) Do we need to apply *all* of these individual bash patches (i.e. bash43-025 through bash43-029)? Even bash43-027 which is not solving any specific CVE? Or should we apply 27 or all the others? > > If you choose to build bash from source (why?) rather than simply use > your distro's security update, [...] [...] > > 3) Do you have a script or summary of all tests in one place like http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 or https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck ? Or maybe these are good enough & reliable? > > You only need the one-liner test above. Running tests for the various > CVEs is a distraction (it's moderately useful e.g. for a distro vendor, > to see what non-security bugs may need to be patched, but mostly not for > an end-user or sysadmin). > > Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.