8 Replies Latest reply on Sep 28, 2014 2:10 PM by ultrafire

    Solaris 10 & 11 Shellshock

    1746535

      Has Oracle released any patches to Bash on Solaris 10 & 11 because of CVE-2014-6271?

        • 1. Re: Solaris 10 & 11 Shellshock
          user6881887

          Status for Solaris patches

           

          The following IDRs/Patches will follow upstream guidance to remedy the
          externally reported vulnerability present in BASH (CVE-2014-7169 / CVE-2014-6271)

          Please note that these are currently all IDR patches.

          To download the patches go to support.oracle.com, select "Patches &
          Updates" tab. If you search for the patch number then the appropriate
          patch will show up.

          The details follow:

          Solaris 11.x (contains SPARC and x64 binaries)

          idr1399.1 Patch number 19687137 - applies to Solaris 11.2 to Solaris 11.2 SRU2.5:
          idr1400.1 Patch number 19687094 - applies to Solaris 11.1 to Solaris 11.1 SRU12.5:
          idr1401.1 Patch number 19686997 - applies to Solaris 11.1 SRU13.6 to Solaris 11.1 SRU21.4.1

          Solaris 10
          SPARC: 151577-01 Patch number 19689287
          x86: 151578-01 Patch number 19689293

          Note that the Solaris 10 patches have dependencies on
          SPARC: 126546-05
          x86: 126547-05

          Solaris 9
          SPARC: 151573-01 Patch number 19687942
          x86: 151574-01 Patch number 19687947

          Solaris 8 - Expected to be available later today


          Instructions on how to install a Solaris 11 IDR can be found in
          Note 1452392.1

          • 2. Re: Solaris 10 & 11 Shellshock
            1397521

            Tested patches listed on a few secondary servers last night, seem to work as well

            as compiling bash from source with all patches. We are deciding how to proceed

            since it's an interim patch, but will likely use Oracle patch to keep reported patch

            levels by OS tools accurate.

            • 3. Re: Solaris 10 & 11 Shellshock
              Wolfgang Ley-Oracle

              Hi,

               

              please see MOS document 1930090.1 for the available solutions:http://support.oracle.com/rs?type=doc&id=1930090.1

               

              Bye,

                Wolfgang.

              • 4. Re: Solaris 10 & 11 Shellshock
                ultrafire

                Hi folks,

                 

                just one question:

                 

                I am using Solaris on SPARC and X86 really for private use...... and I have no support contract.

                How do I get these patches for S10/11 ?

                 

                I wounder if there is just a possibility by a payable supportcontract......... due this is a bug since the very first days of bash ?

                 

                thx for answers

                 

                ultrafire

                • 5. Re: Solaris 10 & 11 Shellshock
                  user13607177

                  Hi!

                  I'm missing patch for Solaris 11.0. Why no 11.0 IDR?

                   

                  Thanks!

                   

                  /Henrik

                  • 6. Re: Solaris 10 & 11 Shellshock
                    Ronald-Oracle

                    Hi,

                     

                    Solaris 11.0 does not receive further fixes. There really is only one patch train for

                    a given Solaris minor release such as 8, 9, 10 or 11. Fixes are built from the

                    the current source tree of the given release. So normally just a fix based

                    on Solaris 11.2 would be delivered. This time some IDRs were provided for

                    the previous micro release 11.1 as well probably because that is still widely

                    used and 11.2 is relatively recent.

                    From a users point of view those updates are all just a point in time:

                     

                    11.0 -> SRUs based on 11.0 -> 11.1 -> SRUs based on 11.1 -> 11.2 -> SRUs based on 11.2 -> ...

                     

                    So once 11.x+1 is released we stop producing SRUs for 11.x (some overlap might happen

                    in some situations. Running 11.0 today means that the system hasn't received bug fixes

                    including security fixes for quite some time. So if you still use 11.0: Upgrade to 11.2 (or

                    11.2.2.7.0 a.k.a. S11.2 SRU2.7 if under support contract).

                     

                    Regards,

                      Ronald

                    • 7. Re: Solaris 10 & 11 Shellshock
                      RaiderOfTheLostSPARC

                      I can be wrong but I'm sure you'll have to wait for the next public release to get the fix (Soaris 11.3?!).

                       

                      Though nobody can keep you from using the patches/manifest/etc. from https://java.net/projects/solaris-userland/sources/gate/show/components/bash to create your own updated IPS pkg…

                      • 8. Re: Solaris 10 & 11 Shellshock
                        ultrafire

                        EDIT 2

                         

                        Hi Folks

                         

                        status for my workaround:

                         

                        1. my workaround runs under one of our notebooks sol11.2/x86 without probs

                        /opt/csw/bin in front off all in the /etc/profile

                         

                        2.

                        first sparc system: sol10 sparc U5 , cswbash was installed years ago as standard-shell global (except root - sh), so this was just an update for the installed cswbash by

                         

                        pkgutil -u bash

                         

                        second sparc system sol11.1/niagara had an installed cswbash, but not using it (was coming down via pkgdepency) - anyway, I put the path of csw-bin to front and made the cswupdate, running.

                         

                        third sparc system is a sol10zone on the sol11.1 sparc-system, installed csw-bash, procedure like the other 2 sparc systems, running

                         

                        3.

                        so the only system which has problems by using my workaround is the other sol11.2/x86 notebook. If I use there my workaround, I cannot start gnome-terminal neither xtrem etc. in the sol-GUI, remote-shell login via ssh is working, and opens a working csw-bash

                        changing the $PATHenvironment didn´t helped, so I had to switch back to the original oracle-bash :-(

                         

                        If I am trying to start WITH workaround a gnome-terminal, it looks like gnome-terminal is coredumping, the windows opens for 1/2 sec, an closes without errormsg.

                         

                         

                        -----------------------------------

                         

                        BTW

                         

                        There are MORE vunerabilities in the bash, they talk  at least about 3 major ones .......

                         

                         

                        ---------------------------

                         

                         

                        Hi raider,

                         

                        yes, I guess this is a solution.

                        But:

                         

                        if u have installed

                         

                        pkgutil     ( Getting started — OpenCSW 0.2014.04 documentation )

                        works very fine with x86/sparc s10/11.x

                        on opencsw there ist a patched version ready for install using pkgutil

                         

                         

                         

                        open at least before you begin 2 new shells , one as role root, if something goes wrong, that u have access to the system to reedit the changes, and one as normal user.

                        have a look at http://www.opencsw.org/get-it/packages/

                         

                        sudo pkgutil -i bash

                         

                        just rename the original one in /usr/bin  to e.g. bash_ORIG_vunerable

                         

                        cd /usr/bin

                         

                        sudo rn bash bash_ORIG_vunerable

                         

                        and

                         

                        sudo ln -s /opt/csw/bin/bash /usr/bin/bash

                         

                        then

                         

                        sudo chmod -w /opt/csw/bin/bash

                         

                         

                        then try in a new shell

                         

                        env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

                         

                        should return only

                         

                        this is a test

                         

                         

                        and nothing with vunerable

                         

                        it is important to all systems which are providing ANY KIND of service to the internet (mail, ssh, ntp http ftp etc, have a look at Hackers take advantage of Bash Shellshock bug as developers rush to patch- The Inquirer )

                         

                        hope this helps all with no CSI / contract

                         

                        PS: I do not understand why you need for such a heavy security-bug(s) (in the opensource bash which is used and provided by oracle sol + linux) a purchaseable contract ????

                         

                        And really we are using at home sol on 2 private samsung-notebooks (just doing things u do with a notebook) , and a old ultra 5 and a sun-fire/niagara (with 2 zones), doing all u need to do for an oceanographic studying (education as student) - NO commercial use at all.......

                         

                        b.r.

                         

                        ultrafire