4 votos

Shellshock - "pkg actualizar bash" no actualizar bash a la última 4.3.25

Estoy usando FreeBSD-9.1-p5.

Mi security run output:

Checking for packages with security vulnerabilities:
Database fetched: Wed Sep 24 23:01:24 EDT 2014
bash-4.3.24

pkg info bash:

# pkg info bash
bash-4.3.24
Name           : bash
Version        : 4.3.24
Installed on   : Tue Sep 16 17:17:32 EDT 2014
Origin         : shells/bash
Architecture   : freebsd:9:x86:64
Prefix         : /usr/local
Categories     : shells
Licenses       : GPLv3
Maintainer     : ehaupt@FreeBSD.org
WWW            : http://cnswww.cns.cwru.edu/~chet/bash/bashtop.html
Comment        : The GNU Project's Bourne Again SHell
Options        :
   COLONBREAKSWORDS: on
   DOCS           : on
   HELP           : on
   IMPLICITCD     : on
   NLS            : on
   STATIC         : off
   SYSLOG         : off
Shared Libs required:
   libintl.so.9
   libiconv.so.3
Annotations    :
   repo_type      : binary
   repository     : FreeBSD
Flat size      : 6.65MiB
Description    :
This is GNU Bash.  Bash is the GNU Project's Bourne Again SHell,
a complete implementation of the POSIX.2 shell spec, but also
with interactive command line editing, job control on architectures
that support it, csh-like features such as history substitution and
brace expansion, and a slew of other features. 

WWW: http://cnswww.cns.cwru.edu/~chet/bash/bashtop.html
#

pkg upgrade bash:

# pkg upgrade bash 
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
#

Estoy usando pkg(8) e no /usr/ports. Qué significa el mantenedor no paquete de actualización, sin embargo, las vulnerabilidades de seguridad de la lista ya está actualizada?

2voto

alexus Puntos 3968

parece actualización está fuera)

[alexus@alexus ~]$ sudo pkg upgrade bash   
Password:
Updating FreeBSD repository catalogue...
[alexus.org] Fetching meta.txz: 100%   968 B   1.0k/s    00:01    
[alexus.org] Fetching digests.txz: 100%    2 MB   2.0M/s    00:01    
[alexus.org] Fetching packagesite.txz: 100%    5 MB   5.3M/s    00:01    
Removing expired repository entries: 100%
Processing new repository entries: 100%
FreeBSD repository update completed. 23417 packages processed:
  9022 updated, 63 removed and 155 added.
New version of pkg detected; it needs to be installed first.
The following 1 packages will be affected (of 0 checked):

Installed packages to be UPGRADED:
    pkg: 1.3.7 -> 1.3.8_1

The process will require 31 kB more space.
2 MB to be downloaded.

Proceed with this action? [y/N]: y
[alexus.org] Fetching pkg-1.3.8_1.txz: 100%    2 MB   2.0M/s    00:01    
Checking integrity... done (0 conflicting)
[alexus.org] [1/1] Upgrading pkg from 1.3.7 to 1.3.8_1: 100%
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 1 packages will be affected (of 0 checked):

Installed packages to be UPGRADED:
    bash: 4.3.24 -> 4.3.25_1

The operation will free 64 B.
1 MB to be downloaded.

Proceed with this action? [y/N]: y
[alexus.org] Fetching bash-4.3.25_1.txz: 100%    1 MB   1.2M/s    00:01    
Checking integrity... done (0 conflicting)
[alexus.org] [1/1] Upgrading bash from 4.3.24 to 4.3.25_1: 100%
[alexus@alexus ~]$ 

1voto

micah94 Puntos 11

Tuve que actualizar bash manualmente desde los puertos.

En primer lugar, me aseguré de que los puertos de arriba-a-fecha:

portsnap fetch update

Entonces, he actualizado pkg:

cd /usr/ports/ports-mgmt/pkg
make BATCH=yes build
make BATCH=yes deinstall
make BATCH=yes reinstall

Luego he actualizado a bash:

cd /usr/ports/shells/bash
make BATCH=yes build
make BATCH=yes deinstall
make BATCH=yes reinstall

Mi versión de bash es now up-to-fecha:

# bash --version
GNU bash, version 4.3.25(1)-release (i386-portbld-freebsd9.3)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
...

La palabra vulnerable no se muestran en esta prueba a continuación:

# env x='() { :;}; echo vulnerable' bash -c "echo hello"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

EnMiMaquinaFunciona.com

EnMiMaquinaFunciona es una comunidad de administradores de sistemas en la que puedes resolver tus problemas y dudas.
Puedes consultar las preguntas de otros sysadmin, hacer tus propias preguntas o resolver las de los demás.

Powered by: