An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 2 of 2 1 2
Re: Shellshock – Bash-related Linux security bug
alternaut #31413 10/05/14 08:49 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
Originally Posted By: alternaut
FWIW, according to Francis Barr in today's Security Reader Report (MacInTouch Oct 4) 'the latest Yosemite 10.10 beta 4 updates bash from version 3.2.51 to 3.5.23 […] suggesting that it has patched the Shellshocked vulnerabilities'.

Unfortunately Yosemite Beta 4 is not available for download at the moment, at least not from Apple. frown


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Shellshock – Bash-related Linux security bug
joemikeb #31428 10/06/14 01:42 PM
Joined: Aug 2009
Likes: 7
Online

Joined: Aug 2009
Likes: 7


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: Shellshock – Bash-related Linux security bug
alternaut #31464 10/08/14 06:10 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
I just used the 3rd party installer; now, how do I verify that I'm actually running the version of bash that I'm supposed to be running?

Thanks.

Edit: There's a series of Terminal commands here to test for vulnerabilities, and since none of my results matched those displayed, I assume that my system is patched.

But is there a more "direct" way to tell?

Last edited by artie505; 10/08/14 07:31 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Shellshock – Bash-related Linux security bug
artie505 #31466 10/08/14 10:17 AM
Joined: Aug 2009
Likes: 7
Online

Joined: Aug 2009
Likes: 7
Read Apple issues fix for ‘Shell Shock’ Bash vulnerability. The relevant part says:

Once you have run these updates, you can check that bash has been updated by opening the Terminal and running the following command:

bash --version

When you do this, you should see output that reads “GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13).” This should be the same for OS X 10.7 Lion, 10.8 Mountain Lion, and 10.9 Mavericks.


From what I have read, that bash version should be the same for Snowy. Please post back with your results. I haven't installed the update yet so I'd like to know your experience.


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: Shellshock – Bash-related Linux security bug
jchuzi #31468 10/08/14 02:48 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Thanks, Jon.

Code:
Artie's-MacBook-Pro:~ artie$ bash --version
GNU bash, version 4.3.28(4)-release (i386-apple-darwin8.11.0)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Artie's-MacBook-Pro:~ artie$ 

4.3.28 is the version number I expected to see (as per this).


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Shellshock – Bash-related Linux security bug
artie505 #31470 10/08/14 03:42 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
In this post I address comments both Jon and Artie made immediately above. First off, the only quick way to establish your Bash vulnerability status at the moment is to run a Bash check script or the equivalent Terminal commands.

The comment I made in post #31391 above about the Apple patches possibly not fixing all vulnerabilities was based on the result of a Bash check script by Hanno Böck and run by Rapid7 security researcher Greg Wiseman. Böck's script currently tests for 6 different Bash vulnerabilities. Running a check after an optimal patch should indicate that all 6 vulnerabilities have been patched. It was initially not clear whether Wiseman's results actually differed from those listed by Francis Barr in MacInTouch on October 4th, or whether he interpreted them differently. But in an Oct. 2 update Wiseman already stated that the vulnerabilities he found to be not addressed by the Apple patches were in fact not exploitable. This implies that the available Apple patches are OK, at least for now (see below).

The version of GNU bash shipped with Mac OS X is 3.2; the current version is 4.3. Both had 'the' flaw, and both were patched, with the patch number appended to the Bash version number. Which one the Bash-check produces depends on your OS X version and its associated Bash version, or the patch version which replaced it. While Apple stayed with 3.2 for their patch, TFF used v.4.3. In this context, Bash 3.2, patches 52, 53, and 54 correspond to Bash 4.3 patches 25, 26, and 27.
All that said, there is really no such thing as 'the' flaw, since additional flaws are found on almost a daily basis once Bash came under increased scrutiny. Additional patches can be expected, as well as official Apple action in case of newly found exploitable flaws.

PS, it appears that a patch version number (i.e., 3.5.23) in the quote from MIT poster Francis Barr I included in post #31402 contained a typo. I have now marked it there as such. The Bash test result in Francis Barr's MIT post lists the proper version number, 3.2.53.


alternaut moderator
Re: Shellshock – Bash-related Linux security bug
alternaut #31486 10/11/14 12:05 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
A (probably) final update from TenFourFox Development...

Quote:
FINAL UPDATE: 4.3.30 is now available. There are no new tests, and it is not clear the flaws it fixes are exploitable with the other changes, but it is available for those that wish it. Assuming no other vulnerabilities are found in the near future, this should be the last patch.

Edit: v 4.3.30 d/l's as a .gz file and opens to...an unidentified something; anybody got any ideas?

Last edited by artie505; 10/11/14 12:13 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Shellshock – Bash-related Linux security bug
artie505 #31492 10/11/14 02:13 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
The 'bash-4.3.30-10.4u' file you get when you decompress that gz archive is the properly formatted and patched bash version you need to replace your current one with, using the procedure described in detail further down the page you linked to.

If you prefer to use an installer for this patch, go HERE, where you'll find a link to the updated version of the old installer. The download option I posted in post 31391 above used patch v4.3.28, and has now been removed and replaced with the new one here.

Last edited by alternaut; 10/11/14 02:20 PM.

alternaut moderator
Re: Shellshock – Bash-related Linux security bug
alternaut #31495 10/11/14 09:39 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
The version of bash used in Yosemite beta 5 is GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin14). However it passes all of the TenFourFox tests.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Shellshock – Bash-related Linux security bug
joemikeb #31496 10/11/14 10:05 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
You're fine if you patched your system and it passes the flaw test, regardless of exactly which patch version you applied. As I mentioned before, those Bash patches keep on coming, and their relevance to the Shellshock flaws—assuming there is one—is not always clear. If you want to look into the details, check out the various patch reports in their respective repositories:

- bash-3.2 patches
- bash-4.3 patches


alternaut moderator
Re: Shellshock – Bash-related Linux security bug
alternaut #31499 10/12/14 04:38 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Thanks for the clarification - Because I had your original link in hand I had never read down the page. - and the new installer link.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Page 2 of 2 1 2

Moderated by  alternaut, cyn 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.023s Queries: 37 (0.014s) Memory: 0.6344 MB (Peak: 0.7491 MB) Data Comp: Zlib Server Time: 2024-03-29 14:10:25 UTC
Valid HTML 5 and Valid CSS