Discussions
Categories
- 17.9K All Categories
- 3.4K Industry Applications
- 3.3K Intelligent Advisor
- 63 Insurance
- 535.7K On-Premises Infrastructure
- 138.1K Analytics Software
- 38.6K Application Development Software
- 5.6K Cloud Platform
- 109.3K Database Software
- 17.5K Enterprise Manager
- 8.8K Hardware
- 71K Infrastructure Software
- 105.2K Integration
- 41.5K Security Software
Solaris 10 & 11 Shellshock
Has Oracle released any patches to Bash on Solaris 10 & 11 because of CVE-2014-6271?
Answers
-
Status for Solaris patches
The following IDRs/Patches will follow upstream guidance to remedy the
externally reported vulnerability present in BASH (CVE-2014-7169 / CVE-2014-6271)
Please note that these are currently all IDR patches.
To download the patches go to support.oracle.com, select "Patches &
Updates" tab. If you search for the patch number then the appropriate
patch will show up.
The details follow:
Solaris 11.x (contains SPARC and x64 binaries)
idr1399.1 Patch number 19687137 - applies to Solaris 11.2 to Solaris 11.2 SRU2.5:
idr1400.1 Patch number 19687094 - applies to Solaris 11.1 to Solaris 11.1 SRU12.5:
idr1401.1 Patch number 19686997 - applies to Solaris 11.1 SRU13.6 to Solaris 11.1 SRU21.4.1
Solaris 10
SPARC: 151577-01 Patch number 19689287
x86: 151578-01 Patch number 19689293
Note that the Solaris 10 patches have dependencies on
SPARC: 126546-05
x86: 126547-05
Solaris 9
SPARC: 151573-01 Patch number 19687942
x86: 151574-01 Patch number 19687947
Solaris 8 - Expected to be available later today
Instructions on how to install a Solaris 11 IDR can be found in Note 1452392.1 -
Tested patches listed on a few secondary servers last night, seem to work as well
as compiling bash from source with all patches. We are deciding how to proceed
since it's an interim patch, but will likely use Oracle patch to keep reported patch
levels by OS tools accurate.
-
Hi,
please see MOS document 1930090.1 for the available solutions:http://support.oracle.com/rs?type=doc&id=1930090.1
Bye,
Wolfgang.
-
Hi folks,
just one question:
I am using Solaris on SPARC and X86 really for private use...... and I have no support contract.
How do I get these patches for S10/11 ?
I wounder if there is just a possibility by a payable supportcontract......... due this is a bug since the very first days of bash ?
thx for answers
ultrafire
-
Hi!
I'm missing patch for Solaris 11.0. Why no 11.0 IDR?
Thanks!
/Henrik
-
Hi,
Solaris 11.0 does not receive further fixes. There really is only one patch train for
a given Solaris minor release such as 8, 9, 10 or 11. Fixes are built from the
the current source tree of the given release. So normally just a fix based
on Solaris 11.2 would be delivered. This time some IDRs were provided for
the previous micro release 11.1 as well probably because that is still widely
used and 11.2 is relatively recent.
From a users point of view those updates are all just a point in time:
11.0 -> SRUs based on 11.0 -> 11.1 -> SRUs based on 11.1 -> 11.2 -> SRUs based on 11.2 -> ...
So once 11.x+1 is released we stop producing SRUs for 11.x (some overlap might happen
in some situations. Running 11.0 today means that the system hasn't received bug fixes
including security fixes for quite some time. So if you still use 11.0: Upgrade to 11.2 (or
11.2.2.7.0 a.k.a. S11.2 SRU2.7 if under support contract).
Regards,
Ronald
-
I can be wrong but I'm sure you'll have to wait for the next public release to get the fix (Soaris 11.3?!).
Though nobody can keep you from using the patches/manifest/etc. from https://java.net/projects/solaris-userland/sources/gate/show/components/bash to create your own updated IPS pkg…
-
EDIT 2
Hi Folks
status for my workaround:
1. my workaround runs under one of our notebooks sol11.2/x86 without probs
/opt/csw/bin in front off all in the /etc/profile
2.
first sparc system: sol10 sparc U5 , cswbash was installed years ago as standard-shell global (except root - sh), so this was just an update for the installed cswbash by
pkgutil -u bash
second sparc system sol11.1/niagara had an installed cswbash, but not using it (was coming down via pkgdepency) - anyway, I put the path of csw-bin to front and made the cswupdate, running.
third sparc system is a sol10zone on the sol11.1 sparc-system, installed csw-bash, procedure like the other 2 sparc systems, running
3.
so the only system which has problems by using my workaround is the other sol11.2/x86 notebook. If I use there my workaround, I cannot start gnome-terminal neither xtrem etc. in the sol-GUI, remote-shell login via ssh is working, and opens a working csw-bash
changing the $PATHenvironment didn´t helped, so I had to switch back to the original oracle-bash :-(
If I am trying to start WITH workaround a gnome-terminal, it looks like gnome-terminal is coredumping, the windows opens for 1/2 sec, an closes without errormsg.
-----------------------------------
BTW
There are MORE vunerabilities in the bash, they talk at least about 3 major ones .......
---------------------------
Hi raider,
yes, I guess this is a solution.
But:
if u have installed
pkgutil ( Getting started — OpenCSW 0.2014.04 documentation )
works very fine with x86/sparc s10/11.x
on opencsw there ist a patched version ready for install using pkgutil
open at least before you begin 2 new shells , one as role root, if something goes wrong, that u have access to the system to reedit the changes, and one as normal user.
have a look at http://www.opencsw.org/get-it/packages/
sudo pkgutil -i bash
just rename the original one in /usr/bin to e.g. bash_ORIG_vunerable
cd /usr/bin
sudo rn bash bash_ORIG_vunerable
and
sudo ln -s /opt/csw/bin/bash /usr/bin/bash
then
sudo chmod -w /opt/csw/bin/bash
then try in a new shell
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
should return only
this is a test
and nothing with vunerable
it is important to all systems which are providing ANY KIND of service to the internet (mail, ssh, ntp http ftp etc, have a look at Hackers take advantage of Bash Shellshock bug as developers rush to patch- The Inquirer )
hope this helps all with no CSI / contract
PS: I do not understand why you need for such a heavy security-bug(s) (in the opensource bash which is used and provided by oracle sol + linux) a purchaseable contract ????
And really we are using at home sol on 2 private samsung-notebooks (just doing things u do with a notebook) , and a old ultra 5 and a sun-fire/niagara (with 2 zones), doing all u need to do for an oceanographic studying (education as student) - NO commercial use at all.......
b.r.
ultrafire