Forum Stats

  • 3,815,448 Users
  • 2,259,028 Discussions
  • 7,893,098 Comments

Discussions

Solaris 10 & 11 Shellshock

1746535
1746535 Member Posts: 1
edited Sep 28, 2014 10:10AM in Solaris 10

Has Oracle released any patches to Bash on Solaris 10 & 11 because of CVE-2014-6271?

user13607177ultrafire

Answers

  • Status for Solaris patches

    The following IDRs/Patches will follow upstream guidance to remedy the
    externally reported vulnerability present in BASH (CVE-2014-7169 / CVE-2014-6271)

    Please note that these are currently all IDR patches.

    To download the patches go to support.oracle.com, select "Patches &
    Updates" tab. If you search for the patch number then the appropriate
    patch will show up.

    The details follow:

    Solaris 11.x (contains SPARC and x64 binaries)

    idr1399.1 Patch number 19687137 - applies to Solaris 11.2 to Solaris 11.2 SRU2.5:
    idr1400.1 Patch number 19687094 - applies to Solaris 11.1 to Solaris 11.1 SRU12.5:
    idr1401.1 Patch number 19686997 - applies to Solaris 11.1 SRU13.6 to Solaris 11.1 SRU21.4.1

    Solaris 10
    SPARC: 151577-01 Patch number 19689287
    x86: 151578-01 Patch number 19689293

    Note that the Solaris 10 patches have dependencies on
    SPARC: 126546-05
    x86: 126547-05

    Solaris 9
    SPARC: 151573-01 Patch number 19687942
    x86: 151574-01 Patch number 19687947

    Solaris 8 - Expected to be available later today


    Instructions on how to install a Solaris 11 IDR can be found in Note 1452392.1

    user13607177
  • 1397521
    1397521 Member Posts: 1

    Tested patches listed on a few secondary servers last night, seem to work as well

    as compiling bash from source with all patches. We are deciding how to proceed

    since it's an interim patch, but will likely use Oracle patch to keep reported patch

    levels by OS tools accurate.

  • ultrafire
    ultrafire Member Posts: 13

    Hi folks,

    just one question:

    I am using Solaris on SPARC and X86 really for private use...... and I have no support contract.

    How do I get these patches for S10/11 ?

    I wounder if there is just a possibility by a payable supportcontract......... due this is a bug since the very first days of bash ?

    thx for answers

    ultrafire

  • user13607177
    user13607177 Member Posts: 1 Blue Ribbon

    Hi!

    I'm missing patch for Solaris 11.0. Why no 11.0 IDR?

    Thanks!

    /Henrik

  • Ronald-Oracle
    Ronald-Oracle Member Posts: 89
    edited Sep 26, 2014 7:08PM

    Hi,

    Solaris 11.0 does not receive further fixes. There really is only one patch train for

    a given Solaris minor release such as 8, 9, 10 or 11. Fixes are built from the

    the current source tree of the given release. So normally just a fix based

    on Solaris 11.2 would be delivered. This time some IDRs were provided for

    the previous micro release 11.1 as well probably because that is still widely

    used and 11.2 is relatively recent.

    From a users point of view those updates are all just a point in time:

    11.0 -> SRUs based on 11.0 -> 11.1 -> SRUs based on 11.1 -> 11.2 -> SRUs based on 11.2 -> ...

    So once 11.x+1 is released we stop producing SRUs for 11.x (some overlap might happen

    in some situations. Running 11.0 today means that the system hasn't received bug fixes

    including security fixes for quite some time. So if you still use 11.0: Upgrade to 11.2 (or

    11.2.2.7.0 a.k.a. S11.2 SRU2.7 if under support contract).

    Regards,

      Ronald

  • RaiderOfTheLostSPARC
    RaiderOfTheLostSPARC Member Posts: 259 Blue Ribbon

    I can be wrong but I'm sure you'll have to wait for the next public release to get the fix (Soaris 11.3?!).

    Though nobody can keep you from using the patches/manifest/etc. from https://java.net/projects/solaris-userland/sources/gate/show/components/bash to create your own updated IPS pkg…

    ultrafire
  • ultrafire
    ultrafire Member Posts: 13
    edited Sep 28, 2014 10:10AM

    EDIT 2

    Hi Folks

    status for my workaround:

    1. my workaround runs under one of our notebooks sol11.2/x86 without probs

    /opt/csw/bin in front off all in the /etc/profile

    2.

    first sparc system: sol10 sparc U5 , cswbash was installed years ago as standard-shell global (except root - sh), so this was just an update for the installed cswbash by

    pkgutil -u bash

    second sparc system sol11.1/niagara had an installed cswbash, but not using it (was coming down via pkgdepency) - anyway, I put the path of csw-bin to front and made the cswupdate, running.

    third sparc system is a sol10zone on the sol11.1 sparc-system, installed csw-bash, procedure like the other 2 sparc systems, running

    3.

    so the only system which has problems by using my workaround is the other sol11.2/x86 notebook. If I use there my workaround, I cannot start gnome-terminal neither xtrem etc. in the sol-GUI, remote-shell login via ssh is working, and opens a working csw-bash

    changing the $PATHenvironment didn´t helped, so I had to switch back to the original oracle-bash :-(

    If I am trying to start WITH workaround a gnome-terminal, it looks like gnome-terminal is coredumping, the windows opens for 1/2 sec, an closes without errormsg.

    -----------------------------------

    BTW

    There are MORE vunerabilities in the bash, they talk  at least about 3 major ones .......

    ---------------------------

    Hi raider,

    yes, I guess this is a solution.

    But:

    if u have installed

    pkgutil     ( Getting started — OpenCSW 0.2014.04 documentation )

    works very fine with x86/sparc s10/11.x

    on opencsw there ist a patched version ready for install using pkgutil

    open at least before you begin 2 new shells , one as role root, if something goes wrong, that u have access to the system to reedit the changes, and one as normal user.

    have a look at http://www.opencsw.org/get-it/packages/

    sudo pkgutil -i bash

    just rename the original one in /usr/bin  to e.g. bash_ORIG_vunerable

    cd /usr/bin

    sudo rn bash bash_ORIG_vunerable

    and

    sudo ln -s /opt/csw/bin/bash /usr/bin/bash

    then

    sudo chmod -w /opt/csw/bin/bash

    then try in a new shell

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

    should return only

    this is a test

    and nothing with vunerable

    it is important to all systems which are providing ANY KIND of service to the internet (mail, ssh, ntp http ftp etc, have a look at Hackers take advantage of Bash Shellshock bug as developers rush to patch- The Inquirer )

    hope this helps all with no CSI / contract

    PS: I do not understand why you need for such a heavy security-bug(s) (in the opensource bash which is used and provided by oracle sol + linux) a purchaseable contract ????

    And really we are using at home sol on 2 private samsung-notebooks (just doing things u do with a notebook) , and a old ultra 5 and a sun-fire/niagara (with 2 zones), doing all u need to do for an oceanographic studying (education as student) - NO commercial use at all.......

    b.r.

    ultrafire

This discussion has been closed.