search for: shellshocker

Good afternoon! After applying the latest bash RPM listed at http://lists.centos.org/pipermail/centos-announce/2014-September/020594.html : The fixed RPM (bash-3.2-33.el5_10.4.x86_64.rpm) DOES work just fine on CentOS 5.10. However, it DOES NOT work on CentOS 5.4. That is, bash runs fine, but IS STILL VULNERABLE TO SHELLSHOCK! Scary screenie at: http://i.imgur.com/yR7sBjV.png It looks like

Hello all, Amongst a number of modern CentOS machines we have this one RHEL 3 machine (don't ask me why:) and on it we have bash 2.05b. I was trying to compile a version of bash for it that would be Shellshock-proofed. To do that, I downloaded a copy of the code from the GNU along with all the 13 patches, applied the patches, compiled the code and installed the executable. All

For those of us still in shell shock, the following was sent several days ago under a misleading subject/thread mixed in with a bunch of other nonsense. (Message-ID: <54291071.7010209 at centos.org>) According to Johnny the second bash patch addressed all of the known issues. I had been waiting for a third patch to come through and missed this important information sent on Monday. On

I'm right now handling this beach-ball sized grenade, and trying to figure out which of our services need to be locked down right away. Since dovecot passes values via environment variables based on user input (e.g. username, password, mailbox?) to auxilliary executables (including possibly bash shell scripts), is dovecot vulnerable to this exploit? (This is not a fault of dovecot, but

The AstLinux Team has released 1.2.0. All current users are encouraged to upgrade as this release addresses the bash "ShellShock" bug. New in 1.2.0: * New Linux Kernel 3.2.x * "igb" ethernet driver for Intel Atom C2000 * Enable AES-NI support * New "sip-user-agent" firewall plugin * New versions of Asterisk 11 and 1.8 * Bash "ShellShock" security fixes A

According to the vulnerability test script from shellshocker.net, the latest bash versions on CentOS5 and CentOS6, 3.2-33.el5_11.4 and 4.1.2-15.el6_5.2, resp., are still vulnerable to CVE-2014-6277. In fact, on CentOS6, abrtd will send you a nice report about it. Does anyone know if upstream is working on a fix? [root at host ~]# bash ~/shellshock_test....

Hi, As part of the bash 'shellshock' bug / vulnerability in unix/linux environments i would like to know whether the use of the samba parameter 'template shell' in my product may cause my product to be vulnerable to the shellshock bug , since this 'template shell' parameter , as per my understanding allows to open a remote bash session used by external users. I would

On Mon, Feb 2, 2015 at 8:02 PM, Kahlil Hodgson <kahlil.hodgson at dealmax.com.au> wrote: > On 3 February 2015 at 13:34, PatrickD Garvey <patrickdgarveyt at gmail.com> wrote: >> Now how about some specific sources you personally used to learn your >> craft that we can use likewise? > > So many places it makes my brain hurt just thinking about it. Google > and

On Wed, Feb 4, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote: > >>> Most such vulns are against Apache, PHP, etc, which do not run as root. >> >> Those are common. Combine them with anything called a 'local >> privilege escalation' vulnerability and you've got a remote root >> exploit. > > Not quite. An LPE can only be used

On Sun, January 11, 2015 7:29 pm, Keith Keller wrote: > On 2015-01-12, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: >> >> PS I guess I just mention it. I'm quite happy about CentOS (or RedHat if >> I >> look back). One day I realized how happy I am that I chose RedHat way >> back, - that was when all Debian (and its clones like Ubuntu,...) admins

On Mon, 2015-02-02 at 20:26 -0800, PatrickD Garvey wrote: > > The CentOS wiki pages found by a title page search are: > http://wiki.centos.org/HelpOnConfiguration/SecurityPolicy > http://wiki.centos.org/HowTos/Security > http://wiki.centos.org/Security > http://wiki.centos.org/Security/Heartbleed > http://wiki.centos.org/Security/POODLE >

On Tue, Feb 3, 2015 at 9:34 AM, Always Learning <centos at u64.u22.net> wrote: > > On Mon, 2015-02-02 at 20:26 -0800, PatrickD Garvey wrote: >> >> The CentOS wiki pages found by a title page search are: >> http://wiki.centos.org/HelpOnConfiguration/SecurityPolicy >> http://wiki.centos.org/HowTos/Security >> http://wiki.centos.org/Security >>

On Sun, January 11, 2015 8:29 pm, Eddie G. O'Connor Jr. wrote: > On 01/11/2015 09:24 PM, Valeri Galtsev wrote: >> On Sun, January 11, 2015 7:29 pm, Keith Keller wrote: >>> On 2015-01-12, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: >>>> PS I guess I just mention it. I'm quite happy about CentOS (or RedHat >>>> if >>>> I

I found an interesting email that got caught in my spam quarantine. I?m wondering if dovecot is vulnerable to this kind of code execution (I?m aware that other components could be vulnerable, but this question is specifically targeting dovecot). The idea is to insert shell commands into various header fields that would get executed as part of the message processing/delivery. Examples include:

On Sat, 22 Nov 2014 17:10:40 -0600 "John R. Dennison" <jrd at gerdesas.com> wrote: > On Sat, Nov 22, 2014 at 11:41:17PM +0100, Gabriele Pohl wrote: > > > > I don't like to spend time in creating ugly workarounds.. > > and therefore would highly appreciate if the CentOS-Developers > > will add the data to the yum repositories. > > Then I can

On 01/11/2015 09:38 PM, Valeri Galtsev wrote: > On Sun, January 11, 2015 8:29 pm, Eddie G. O'Connor Jr. wrote: >> On 01/11/2015 09:24 PM, Valeri Galtsev wrote: >>> On Sun, January 11, 2015 7:29 pm, Keith Keller wrote: >>>> On 2015-01-12, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: >>>>> PS I guess I just mention it. I'm quite

Hi all, I have difficulties to understand the output of yum-plugin-security. I am on a X86_64 machine and when I query for security updates, yum lists i686 packages, that I don't have installed. -------------------- # yum check-update --security Loaded plugins: changelog, fastestmirror, security Loading mirror speeds from cached hostfile * base: centos.mirror.linuxwerk.com * epel:

https://bugzilla.mindrot.org/show_bug.cgi?id=2283 Bug ID: 2283 Summary: option to execute command without shell Product: Portable OpenSSH Version: 6.6p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at

On 01/11/2015 09:24 PM, Valeri Galtsev wrote: > On Sun, January 11, 2015 7:29 pm, Keith Keller wrote: >> On 2015-01-12, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: >>> PS I guess I just mention it. I'm quite happy about CentOS (or RedHat if >>> I >>> look back). One day I realized how happy I am that I chose RedHat way >>> back, -

> On Feb 4, 2015, at 7:23 PM, Les Mikesell <lesmikesell at gmail.com> wrote: > > On Wed, Feb 4, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote: >> >> An LPE can only be used against your system by logged-in users. > > Or any running program - like a web server. That?s not what LPE means. ?L? = ?local?, meaning you are logged-in interactively