[opensuse] What happened to openSUSE-SU-2014:1254-1
Hi Folks, I'm having to maintain a 13.2 box with a requirement to run Nessus scans on it. Nessus is complaining about bash related CVE-2014-6271 and related issues. The fix is mentioned here: http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html but "zypper in -t patch openSUSE-2014-567" says "patch non-existent or not needed". Nessus identifies the installed bash as bash-4.2-75.3.1, but says it should be bash-4.2-75.4.1. This doesn't work either: zypper patch --cve=CVE-2014-6217 Is there something wrong with the repositories, or is Nessus barking up the wrong tree? This is on a fresh 13.2 x86-64 system. Thanks in advance, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Fri, 27 Mar 2015 17:03:10 -0700 Lew Wolfgang <wolfgang@sweet-haven.com> пишет:
Hi Folks,
I'm having to maintain a 13.2 box with a requirement to run Nessus scans on it. Nessus is complaining about bash related CVE-2014-6271 and related issues. The fix is mentioned here:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
but "zypper in -t patch openSUSE-2014-567" says "patch non-existent or not needed".
Nessus identifies the installed bash as bash-4.2-75.3.1, but says it should be bash-4.2-75.4.1.
This doesn't work either:
zypper patch --cve=CVE-2014-6217
Is there something wrong with the repositories, or is Nessus barking up the wrong tree?
This is on a fresh 13.2 x86-64 system.
There is no patch for 13.2 because it had been fixed before 13.2 was even released: * Thu Sep 18 2014 werner@suse.de - Add bash-4.2-CVE-2014-6271.patch to fix CVE-2014-6271, the unexpected code execution with environment variables (bnc#896776) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/27/2015 09:47 PM, Andrei Borzenkov wrote:
В Fri, 27 Mar 2015 17:03:10 -0700 Lew Wolfgang <wolfgang@sweet-haven.com> пишет:
Hi Folks,
I'm having to maintain a 13.2 box with a requirement to run Nessus scans on it. Nessus is complaining about bash related CVE-2014-6271 and related issues. The fix is mentioned here:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
but "zypper in -t patch openSUSE-2014-567" says "patch non-existent or not needed".
Nessus identifies the installed bash as bash-4.2-75.3.1, but says it should be bash-4.2-75.4.1.
This doesn't work either:
zypper patch --cve=CVE-2014-6217
Is there something wrong with the repositories, or is Nessus barking up the wrong tree?
This is on a fresh 13.2 x86-64 system.
There is no patch for 13.2 because it had been fixed before 13.2 was even released:
* Thu Sep 18 2014 werner@suse.de - Add bash-4.2-CVE-2014-6271.patch to fix CVE-2014-6271, the unexpected code execution with environment variables (bnc#896776)
Thanks Andrei. Do you have a link to the reference? I'm going to have to show the IA folks here that their Nessus plugin is confused about bash version numbers. They may have pulled their info from this announcement: http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html ...that shows a patched 13.2 should report bash-4.2-75.4.1. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On March 28, 2015 8:55:11 AM MST, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
On 03/27/2015 09:47 PM, Andrei Borzenkov wrote:
В Fri, 27 Mar 2015 17:03:10 -0700 Lew Wolfgang <wolfgang@sweet-haven.com> пишет:
Hi Folks,
I'm having to maintain a 13.2 box with a requirement to run Nessus scans on it. Nessus is complaining about bash related CVE-2014-6271 and related issues. The fix is mentioned here:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
but "zypper in -t patch openSUSE-2014-567" says "patch non-existent
or not needed".
Nessus identifies the installed bash as bash-4.2-75.3.1, but says it
should be
bash-4.2-75.4.1.
This doesn't work either:
zypper patch --cve=CVE-2014-6217
Is there something wrong with the repositories, or is Nessus barking up the wrong tree?
This is on a fresh 13.2 x86-64 system.
There is no patch for 13.2 because it had been fixed before 13.2 was even released:
* Thu Sep 18 2014 werner@suse.de - Add bash-4.2-CVE-2014-6271.patch to fix CVE-2014-6271, the unexpected code execution with environment variables (bnc#896776)
Thanks Andrei. Do you have a link to the reference? I'm going to have to show the IA folks here that their Nessus plugin is confused about bash version numbers. They may have pulled their info from this announcement:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
...that shows a patched 13.2 should report bash-4.2-75.4.1.
Regards, Lew
No idea how this Nessus works, but if it relies solely on version strings it is a pretty weak tool. Especially with the bash issue, since testing it is so simple, with scripts available in a hundred places on the net. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/28/2015 09:28 AM, John Andersen wrote:
On March 28, 2015 8:55:11 AM MST, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
On 03/27/2015 09:47 PM, Andrei Borzenkov wrote:
В Fri, 27 Mar 2015 17:03:10 -0700 Lew Wolfgang <wolfgang@sweet-haven.com> пишет:
Hi Folks,
I'm having to maintain a 13.2 box with a requirement to run Nessus scans on it. Nessus is complaining about bash related CVE-2014-6271 and related issues. The fix is mentioned here:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
but "zypper in -t patch openSUSE-2014-567" says "patch non-existent or not needed". Nessus identifies the installed bash as bash-4.2-75.3.1, but says it should be bash-4.2-75.4.1.
This doesn't work either:
zypper patch --cve=CVE-2014-6217
Is there something wrong with the repositories, or is Nessus barking up the wrong tree?
This is on a fresh 13.2 x86-64 system.
There is no patch for 13.2 because it had been fixed before 13.2 was even released:
* Thu Sep 18 2014 werner@suse.de - Add bash-4.2-CVE-2014-6271.patch to fix CVE-2014-6271, the unexpected code execution with environment variables (bnc#896776)
Thanks Andrei. Do you have a link to the reference? I'm going to have to show the IA folks here that their Nessus plugin is confused about bash version numbers. They may have pulled their info from this announcement:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
...that shows a patched 13.2 should report bash-4.2-75.4.1.
Regards, Lew
No idea how this Nessus works, but if it relies solely on version strings it is a pretty weak tool. Especially with the bash issue, since testing it is so simple, with scripts available in a hundred places on the net.
Hi John, This is Nessus: http://www.tenable.com/products/nessus-vulnerability-scanner Nessus requires remote administrative access. It does a lot of things, but it definitely does a `rpm -qa` to match installed packages against a database of known-good versions. I know, open your box to remote third-party admin to make sure you're secure! What could possibly go wrong? At any rate, it is what it is, and Information Assurance is the "new black", where "policy" trumps "reality". We just have to live with it as long as customers are demanding it and are willing to pay the freight. A link to an official SuSE reference showing compliance would be easier than my running a script on dozens of hosts to justify an exception. Regards, Lew "Security at any cost, including security!" -- Lew Wolfgang, 2014 -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/28/15 18:40, Lew Wolfgang wrote:
At any rate, it is what it is, and Information Assurance is the "new black", where "policy" trumps "reality".
"Security at any cost, including security!" -- Lew Wolfgang, 2014 --
Sadly, that's nothing new. In 2004, more than ten years ago, I had a customer complaint, backed by a security scan, that NFS has to be turned off at a server, since it is an insecure service that must be turned off according to some CIS security benchmark. (Please note, I'm well aware that this is not the case. I was at the receiving end of a security audit.) Well, the whole purpose of that server, at an automotive company, was: to be the NFS server of construction data. The problem was not the idiot security consultants who prepared that report. It was the middle management of my customer who freaked out because the upper management had recieved report of that "security vulnerability" and demanded immediate action to "remedy" the problem. Acknowleding that there is no problem was not an acceptable action; one has TO DO SOMETHING, no action means that you're the one manager who doesn't actively work on the problem's solution. My sarcastic proposal to just turn off the NFS server with all their construction data, to see how they make ends meet without it, was not meant earnest and was not taken well either by IT -- but was put into action by lower IT management, following middle management's taking-too-earnest attitude of the security consultant's recommendations... Half a day later, the system was live again, and the so-called "security consultants" had lost an important customer. Sometimes, just sometimes, life is just. Enough rambling and reminiscences, sorry for the distraction. :-) Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod, Roedermark, Germany Email: jschrod@acm.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Mar 28, 2015 at 11:55 AM, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
On 03/27/2015 09:47 PM, Andrei Borzenkov wrote:
В Fri, 27 Mar 2015 17:03:10 -0700 Lew Wolfgang <wolfgang@sweet-haven.com> пишет:
Hi Folks,
I'm having to maintain a 13.2 box with a requirement to run Nessus scans on it. Nessus is complaining about bash related CVE-2014-6271 and related issues. The fix is mentioned here:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
but "zypper in -t patch openSUSE-2014-567" says "patch non-existent or not needed".
Nessus identifies the installed bash as bash-4.2-75.3.1, but says it should be bash-4.2-75.4.1.
This doesn't work either:
zypper patch --cve=CVE-2014-6217
Is there something wrong with the repositories, or is Nessus barking up the wrong tree?
This is on a fresh 13.2 x86-64 system.
There is no patch for 13.2 because it had been fixed before 13.2 was even released:
* Thu Sep 18 2014 werner@suse.de - Add bash-4.2-CVE-2014-6271.patch to fix CVE-2014-6271, the unexpected code execution with environment variables (bnc#896776)
Thanks Andrei. Do you have a link to the reference? I'm going to have to show the IA folks here that their Nessus plugin is confused about bash version numbers. They may have pulled their info from this announcement:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
...that shows a patched 13.2 should report bash-4.2-75.4.1.
Regards, Lew
Lew, The 13.2 official release Changelog is at: https://build.opensuse.org/package/view_file/openSUSE:13.2/bash/bash.changes... The part I think you care about is: == Tue Sep 30 11:45:52 UTC 2014 - werner@suse.de - Remove and replace patches bash-4.2-CVE-2014-6271.patch bash-4.2-BSC898604.patch bash-4.2-CVE-2014-7169.patch with bash upstream patch 48, patch 49, and patch 50 - Add patch bash-4.2-extra-import-func.patch which is based on the BSD patch of Christos. As further enhancements the option import-functions is mentioned in the manual page and a shopt switch is added to enable and disable import-functions on the fly === Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Sat, 28 Mar 2015 08:55:11 -0700 Lew Wolfgang <wolfgang@sweet-haven.com> пишет:
On 03/27/2015 09:47 PM, Andrei Borzenkov wrote:
В Fri, 27 Mar 2015 17:03:10 -0700 Lew Wolfgang <wolfgang@sweet-haven.com> пишет:
Hi Folks,
I'm having to maintain a 13.2 box with a requirement to run Nessus scans on it. Nessus is complaining about bash related CVE-2014-6271 and related issues. The fix is mentioned here:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
but "zypper in -t patch openSUSE-2014-567" says "patch non-existent or not needed".
Nessus identifies the installed bash as bash-4.2-75.3.1, but says it should be bash-4.2-75.4.1.
This doesn't work either:
zypper patch --cve=CVE-2014-6217
Is there something wrong with the repositories, or is Nessus barking up the wrong tree?
This is on a fresh 13.2 x86-64 system.
There is no patch for 13.2 because it had been fixed before 13.2 was even released:
* Thu Sep 18 2014 werner@suse.de - Add bash-4.2-CVE-2014-6271.patch to fix CVE-2014-6271, the unexpected code execution with environment variables (bnc#896776)
Thanks Andrei. Do you have a link to the reference? I'm going to have to show the IA folks here that their Nessus plugin is confused about bash version numbers. They may have pulled their info from this announcement:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
...that shows a patched 13.2 should report bash-4.2-75.4.1.
IIRC this was emergency fix indeed and it was published as update at this time to avoid waiting for normal channel. As for version numbers, I must step back - I still do not understand how release is computed. But it is quite possible that release number for this update was indeed higher than what we have now. Basically, "4" above is number of commits since base revision and commits are counted independently in each repository. But the fact is that current bash in 13.2 includes fixes for this CVE and did it for half a year at the very least. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Andrei Borzenkov -
Greg Freemyer -
Joachim Schrod -
John Andersen -
Lew Wolfgang