Forum Stats

  • 3,825,196 Users
  • 2,260,479 Discussions
  • 7,896,435 Comments

Discussions

CVE-2014-6271 and CVE-2014-7169 Patch Availability Document for Oracle Linux

Mukeshs
Mukeshs Member Posts: 74
edited Oct 7, 2014 8:06AM in Oracle Linux and UEK Preview

Hi,

Can you suggest from where we need to download bash rpm for OEL 6 :-

bash-4.1.2-15.el6_5.2.x86_64.rpm

bash-doc-4.1.2-15.el6_5.2.x86_64.rpm

Thanks in Advance !!

Mukesh

Mukeshs

Answers

  • Todd Vierling-Oracle
    Todd Vierling-Oracle Member Posts: 33 Employee
    edited Oct 6, 2014 10:00AM

    If you're unsure about how to update bash itself, chances are you're vulnerable to a host of other exploits besides Shellshock, and you need to update your whole system(s), not just bash.

    Make sure you have updates properly configured, then just run "yum update" to get all security fixes for Oracle Linux -- including bash. Systems which have direct connectivity to the global Internet can simply use public-yum (see Oracle Public Yum Server for instructions on using it), and systems which do not have global connectivity can use a locally created yum mirror (see How to Create a Local Yum Repository for Oracle Linux for more information).

    You'll want to make sure that you enable the "ol6_latest" update channel, as well as the channel corresponding to the version of UEK that you use: "ol6_UEK_latest" for UEK2 (2.6.39), or "ol6_UEKR3" for UEK3 (3.8.13).

  • Mukeshs
    Mukeshs Member Posts: 74

    Hi Todd,

    Thanks for reply.

    Our current bash version is bash-4.1.2-15.el6_4.x86_64.  If we install latest bash will it fix the issue ?

    Is there any link from where we can download bash rpms ?

    We dont have internet enabled from our Linux hosts.

    Regards,

    Mukesh

  • Todd Vierling-Oracle
    Todd Vierling-Oracle Member Posts: 33 Employee

    First see the document I linked about creating a local yum mirror (How to Create a Local Yum Repository for Oracle Linux). I very strongly recommend setting this up so your systems can get other updates besides bash.

    The individual RPMs can be found at Index of /repo/OracleLinux/OL6/latest/x86_64/ -- but I cannot stress the importance of updating entire systems rather than just bash. If you are not updating your systems periodically, bash is just one of your worries (as you're undoubtedly vulnerable to hundreds of other exploits in other packages besides Shellshock). Please set up an update repository and use it.

    Patching only the vulnerabilities you see in the news is equivalent to locking your home's front door, but leaving the security alarm disconnected and the back door held open with a doorstop. You need all the updates, not just bash.

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,824 Employee

    Another option is to deploy Spacewalk and use that to monitor and manage updates for all your systems. The Spacewalk server will need access to the Internet either directly or via a proxy and can then deliver updates to all of your servers internally. Your internal servers would only need access to Spacewalk and not the Internet. Further, Spacewalk can report on all the packages and errata that are currently available for all your systems.

    Mukeshs
  • Mukeshs
    Mukeshs Member Posts: 74

    Thanks Avi and Todd for your suggestion.

This discussion has been closed.