Jessica Blank
2014-Sep-26 20:02 UTC
[CentOS] URGENT! Shellshock fix DOES NOT fix the bug on CentOS 5.4
Good afternoon! After applying the latest bash RPM listed at http://lists.centos.org/pipermail/centos-announce/2014-September/020594.html : The fixed RPM (bash-3.2-33.el5_10.4.x86_64.rpm) DOES work just fine on CentOS 5.10. However, it DOES NOT work on CentOS 5.4. That is, bash runs fine, but IS STILL VULNERABLE TO SHELLSHOCK! Scary screenie at: http://i.imgur.com/yR7sBjV.png It looks like the released RPM somehow behaves DIFFERENTLY on 5.4 as opposed to 5.10. This has been validated by one of my coworkers; it's apparently not just me. Best, Jessica
Jessica Blank
2014-Sep-26 20:04 UTC
[CentOS] URGENT! Shellshock fix DOES NOT fix the bug on CentOS 5.4
Never mind; false alarm. Apparently, we both had a previous 'echo' file sitting around from before. Best, Jessica On Fri, 26 Sep 2014, Jessica Blank wrote:> Good afternoon! > > After applying the latest bash RPM listed at > http://lists.centos.org/pipermail/centos-announce/2014-September/020594.html > : > > The fixed RPM (bash-3.2-33.el5_10.4.x86_64.rpm) DOES work just fine on CentOS > 5.10. However, it DOES NOT work on CentOS 5.4. That is, bash runs fine, but > IS STILL VULNERABLE TO SHELLSHOCK! > > Scary screenie at: http://i.imgur.com/yR7sBjV.png > > It looks like the released RPM somehow behaves DIFFERENTLY on 5.4 as opposed > to 5.10. > > This has been validated by one of my coworkers; it's apparently not just me. > > Best, > > Jessica >
m.roth at 5-cent.us
2014-Sep-26 20:24 UTC
[CentOS] URGENT! Shellshock fix DOES NOT fix the bug on CentOS 5.4
Jessica Blank wrote:> Good afternoon! > > After applying the latest bash RPM listed at > http://lists.centos.org/pipermail/centos-announce/2014-September/020594.html > : > The fixed RPM (bash-3.2-33.el5_10.4.x86_64.rpm) DOES work just fine on > CentOS 5.10. However, it DOES NOT work on CentOS 5.4. That is, bash runs > fine, but IS STILL VULNERABLE TO SHELLSHOCK! > > Scary screenie at: http://i.imgur.com/yR7sBjV.png > > It looks like the released RPM somehow behaves DIFFERENTLY on 5.4 as > opposed to 5.10. > > This has been validated by one of my coworkers; it's apparently not just > me.Please note that the rpm is only for 5.10. You need to look around to see if there *is* an update for 5.4.... mark
Always Learning
2014-Sep-26 21:42 UTC
[CentOS] URGENT! Shellshock fix DOES NOT fix the bug on CentOS 5.4
On Fri, 2014-09-26 at 15:02 -0500, Jessica Blank wrote:> Scary screenie at: http://i.imgur.com/yR7sBjV.pngNever mind the "scary screen" why are you deliberately using an insecure and out-of-date 5.4 version of Centos ? Common sense says that if you are genuinely interested in security then you always update. Regards, Paul. England, EU. Learning until I die or experience dementia.
Lamar Owen
2014-Sep-29 15:36 UTC
[CentOS] URGENT! Shellshock fix DOES NOT fix the bug on CentOS 5.4
On 09/29/2014 04:15 AM, lhecking at users.sourceforge.net wrote:> William Woods writes: >> 5.4 ? really???. 5.4 ? you have a lot of other issues to worry about. > > Repeating it three times doesn't make an arrogant statement more true. > > There are corporate environments that cannot upgrade for various reasons. > Also, the history and performance of e.g autofs on RHEL/CentOS is truly > awful. 5.4 does quite well in this regard, and later releases don't. >... I read the thread before replying, and didn't see anyone mention that, if one needs an open source stay-on-a-point-release setup, one should investigate Scientific Linux, which does do this. Yes, you can stay on 5.4 and get only the security updates. This is one of the differences between SL and CentOS. (now, they only build for releases where upstream releases sources; thus, if you're on EL4, no updates for you.....). The latest shellshock update from SL, for SL 5.4 x86_64 (which would install on C5.4 unmodified, I would imagine), is: ftp://ftp.scientificlinux.org/linux/scientific/54/x86_64/updates/security/bash-3.2-33.el5_11.4.x86_64.rpm For certain scientific applications, there are serious reasons to stay at a point release, and SL supplies to this niche. If I were to need this specific niche here I would run SL at a point release without hesitation.