CentOS - Sep 2014 - URGENT! Shellshock fix DOES NOT fix the bug on CentOS 5.4

Good afternoon!

After applying the latest bash RPM listed at
http://lists.centos.org/pipermail/centos-announce/2014-September/020594.html :

The fixed RPM (bash-3.2-33.el5_10.4.x86_64.rpm) DOES work just fine on 
CentOS 5.10. However, it DOES NOT work on CentOS 5.4. That is, bash runs 
fine, but IS STILL VULNERABLE TO SHELLSHOCK!

Scary screenie at: http://i.imgur.com/yR7sBjV.png

It looks like the released RPM somehow behaves DIFFERENTLY on 5.4 as 
opposed to 5.10.

This has been validated by one of my coworkers; it's apparently not just me.

Best,

Jessica

Never mind; false alarm. Apparently, we both had a previous 'echo' file 
sitting around from before.

Best,

Jessica

On Fri, 26 Sep 2014, Jessica Blank wrote:
> Good afternoon!
>
> After applying the latest bash RPM listed at
>
http://lists.centos.org/pipermail/centos-announce/2014-September/020594.html
> :
>
> The fixed RPM (bash-3.2-33.el5_10.4.x86_64.rpm) DOES work just fine on
CentOS
> 5.10. However, it DOES NOT work on CentOS 5.4. That is, bash runs fine, but
> IS STILL VULNERABLE TO SHELLSHOCK!
>
> Scary screenie at: http://i.imgur.com/yR7sBjV.png
>
> It looks like the released RPM somehow behaves DIFFERENTLY on 5.4 as
opposed
> to 5.10.
>
> This has been validated by one of my coworkers; it's apparently not
just me.
>
> Best,
>
> Jessica
>

Jessica Blank wrote:
> Good afternoon!
>
> After applying the latest bash RPM listed at
>
http://lists.centos.org/pipermail/centos-announce/2014-September/020594.html
> :
> The fixed RPM (bash-3.2-33.el5_10.4.x86_64.rpm) DOES work just fine on
> CentOS 5.10. However, it DOES NOT work on CentOS 5.4. That is, bash runs
> fine, but IS STILL VULNERABLE TO SHELLSHOCK!
>
> Scary screenie at: http://i.imgur.com/yR7sBjV.png
>
> It looks like the released RPM somehow behaves DIFFERENTLY on 5.4 as
> opposed to 5.10.
>
> This has been validated by one of my coworkers; it's apparently not
just
> me.
Please note that the rpm is only for 5.10. You need to look around to see
if there *is* an update for 5.4....

    mark

On Fri, 2014-09-26 at 15:02 -0500, Jessica Blank wrote:

> Scary screenie at: http://i.imgur.com/yR7sBjV.png
Never mind the "scary screen" why are you deliberately using an
insecure
and out-of-date 5.4 version of Centos ?

Common sense says that if you are genuinely interested in security then
you always update. 


Regards,

Paul.
England, EU.

Learning until I die or experience dementia.

On 09/29/2014 04:15 AM, lhecking at users.sourceforge.net
wrote:
> William Woods writes:
>> 5.4 ? really???. 5.4 ? you have a lot of other issues to worry about.
>   
>   Repeating it three times doesn't make an arrogant statement more
true.
>
>   There are corporate environments that cannot upgrade for various reasons.
>   Also, the history and performance of e.g autofs on RHEL/CentOS is truly
>   awful. 5.4 does quite well in this regard, and later releases don't.
>
...

I read the thread before replying, and didn't see anyone mention that, 
if one needs an open source stay-on-a-point-release setup, one should 
investigate Scientific Linux, which does do this.  Yes, you can stay on 
5.4 and get only the security updates.  This is one of the differences 
between SL and CentOS.  (now, they only build for releases where 
upstream releases sources; thus, if you're on EL4, no updates for you.....).

The latest shellshock update from SL, for SL 5.4 x86_64 (which would 
install on C5.4 unmodified, I would imagine), is:
ftp://ftp.scientificlinux.org/linux/scientific/54/x86_64/updates/security/bash-3.2-33.el5_11.4.x86_64.rpm

For certain scientific applications, there are serious reasons to stay 
at a point release, and SL supplies to this niche.

If I were to need this specific niche here I would run SL at a point 
release without hesitation.