An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Page 2 of 2 < 1 2
Topic Options
#31413 - 10/05/14 01:49 PM Re: Shellshock – Bash-related Linux security bug [Re: alternaut]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: alternaut
FWIW, according to Francis Barr in today's Security Reader Report (MacInTouch Oct 4) 'the latest Yosemite 10.10 beta 4 updates bash from version 3.2.51 to 3.5.23 […] suggesting that it has patched the Shellshocked vulnerabilities'.

Unfortunately Yosemite Beta 4 is not available for download at the moment, at least not from Apple. frown
_________________________
joemikeb • moderator

Top
#31428 - 10/06/14 06:42 AM Re: Shellshock – Bash-related Linux security bug [Re: joemikeb]
jchuzi Online


Registered: 08/04/09
Loc: New York State
_________________________
Jon

OS 10.15.2, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#31464 - 10/07/14 11:10 PM Re: Shellshock – Bash-related Linux security bug [Re: alternaut]
artie505 Online


Registered: 08/04/09
I just used the 3rd party installer; now, how do I verify that I'm actually running the version of bash that I'm supposed to be running?

Thanks.

Edit: There's a series of Terminal commands here to test for vulnerabilities, and since none of my results matched those displayed, I assume that my system is patched.

But is there a more "direct" way to tell?


Edited by artie505 (10/08/14 12:31 AM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#31466 - 10/08/14 03:17 AM Re: Shellshock – Bash-related Linux security bug [Re: artie505]
jchuzi Online


Registered: 08/04/09
Loc: New York State
Read Apple issues fix for ‘Shell Shock’ Bash vulnerability. The relevant part says:

Once you have run these updates, you can check that bash has been updated by opening the Terminal and running the following command:

bash --version

When you do this, you should see output that reads “GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13).” This should be the same for OS X 10.7 Lion, 10.8 Mountain Lion, and 10.9 Mavericks.


From what I have read, that bash version should be the same for Snowy. Please post back with your results. I haven't installed the update yet so I'd like to know your experience.
_________________________
Jon

OS 10.15.2, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#31468 - 10/08/14 07:48 AM Re: Shellshock – Bash-related Linux security bug [Re: jchuzi]
artie505 Online


Registered: 08/04/09
Thanks, Jon.

Code:
Artie's-MacBook-Pro:~ artie$ bash --version
GNU bash, version 4.3.28(4)-release (i386-apple-darwin8.11.0)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Artie's-MacBook-Pro:~ artie$ 

4.3.28 is the version number I expected to see (as per this).
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#31470 - 10/08/14 08:42 AM Re: Shellshock – Bash-related Linux security bug [Re: artie505]
alternaut Offline

Moderator

Registered: 08/04/09
In this post I address comments both Jon and Artie made immediately above. First off, the only quick way to establish your Bash vulnerability status at the moment is to run a Bash check script or the equivalent Terminal commands.

The comment I made in post #31391 above about the Apple patches possibly not fixing all vulnerabilities was based on the result of a Bash check script by Hanno Böck and run by Rapid7 security researcher Greg Wiseman. Böck's script currently tests for 6 different Bash vulnerabilities. Running a check after an optimal patch should indicate that all 6 vulnerabilities have been patched. It was initially not clear whether Wiseman's results actually differed from those listed by Francis Barr in MacInTouch on October 4th, or whether he interpreted them differently. But in an Oct. 2 update Wiseman already stated that the vulnerabilities he found to be not addressed by the Apple patches were in fact not exploitable. This implies that the available Apple patches are OK, at least for now (see below).

The version of GNU bash shipped with Mac OS X is 3.2; the current version is 4.3. Both had 'the' flaw, and both were patched, with the patch number appended to the Bash version number. Which one the Bash-check produces depends on your OS X version and its associated Bash version, or the patch version which replaced it. While Apple stayed with 3.2 for their patch, TFF used v.4.3. In this context, Bash 3.2, patches 52, 53, and 54 correspond to Bash 4.3 patches 25, 26, and 27.
All that said, there is really no such thing as 'the' flaw, since additional flaws are found on almost a daily basis once Bash came under increased scrutiny. Additional patches can be expected, as well as official Apple action in case of newly found exploitable flaws.

PS, it appears that a patch version number (i.e., 3.5.23) in the quote from MIT poster Francis Barr I included in post #31402 contained a typo. I have now marked it there as such. The Bash test result in Francis Barr's MIT post lists the proper version number, 3.2.53.
_________________________
alternaut moderator

Top
#31486 - 10/10/14 05:05 PM Re: Shellshock – Bash-related Linux security bug [Re: alternaut]
artie505 Online


Registered: 08/04/09
A (probably) final update from TenFourFox Development...

Quote:
FINAL UPDATE: 4.3.30 is now available. There are no new tests, and it is not clear the flaws it fixes are exploitable with the other changes, but it is available for those that wish it. Assuming no other vulnerabilities are found in the near future, this should be the last patch.

Edit: v 4.3.30 d/l's as a .gz file and opens to...an unidentified something; anybody got any ideas?


Edited by artie505 (10/10/14 05:13 PM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#31492 - 10/11/14 07:13 AM Re: Shellshock – Bash-related Linux security bug [Re: artie505]
alternaut Offline

Moderator

Registered: 08/04/09
The 'bash-4.3.30-10.4u' file you get when you decompress that gz archive is the properly formatted and patched bash version you need to replace your current one with, using the procedure described in detail further down the page you linked to.

If you prefer to use an installer for this patch, go HERE, where you'll find a link to the updated version of the old installer. The download option I posted in post 31391 above used patch v4.3.28, and has now been removed and replaced with the new one here.


Edited by alternaut (10/11/14 07:20 AM)
_________________________
alternaut moderator

Top
#31495 - 10/11/14 02:39 PM Re: Shellshock – Bash-related Linux security bug [Re: alternaut]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
The version of bash used in Yosemite beta 5 is GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin14). However it passes all of the TenFourFox tests.
_________________________
joemikeb • moderator

Top
#31496 - 10/11/14 03:05 PM Re: Shellshock – Bash-related Linux security bug [Re: joemikeb]
alternaut Offline

Moderator

Registered: 08/04/09
You're fine if you patched your system and it passes the flaw test, regardless of exactly which patch version you applied. As I mentioned before, those Bash patches keep on coming, and their relevance to the Shellshock flaws—assuming there is one—is not always clear. If you want to look into the details, check out the various patch reports in their respective repositories:

- bash-3.2 patches
- bash-4.3 patches
_________________________
alternaut moderator

Top
#31499 - 10/11/14 09:38 PM Re: Shellshock – Bash-related Linux security bug [Re: alternaut]
artie505 Online


Registered: 08/04/09
Thanks for the clarification - Because I had your original link in hand I had never read down the page. - and the new installer link.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
Page 2 of 2 < 1 2

Moderator:  alternaut, cyn