8 Replies Latest reply on Sep 28, 2014 2:10 PM by ultrafire

    Solaris 10 & 11 Shellshock


      Has Oracle released any patches to Bash on Solaris 10 & 11 because of CVE-2014-6271?

        • 1. Re: Solaris 10 & 11 Shellshock

          Status for Solaris patches


          The following IDRs/Patches will follow upstream guidance to remedy the
          externally reported vulnerability present in BASH (CVE-2014-7169 / CVE-2014-6271)

          Please note that these are currently all IDR patches.

          To download the patches go to support.oracle.com, select "Patches &
          Updates" tab. If you search for the patch number then the appropriate
          patch will show up.

          The details follow:

          Solaris 11.x (contains SPARC and x64 binaries)

          idr1399.1 Patch number 19687137 - applies to Solaris 11.2 to Solaris 11.2 SRU2.5:
          idr1400.1 Patch number 19687094 - applies to Solaris 11.1 to Solaris 11.1 SRU12.5:
          idr1401.1 Patch number 19686997 - applies to Solaris 11.1 SRU13.6 to Solaris 11.1 SRU21.4.1

          Solaris 10
          SPARC: 151577-01 Patch number 19689287
          x86: 151578-01 Patch number 19689293

          Note that the Solaris 10 patches have dependencies on
          SPARC: 126546-05
          x86: 126547-05

          Solaris 9
          SPARC: 151573-01 Patch number 19687942
          x86: 151574-01 Patch number 19687947

          Solaris 8 - Expected to be available later today

          Instructions on how to install a Solaris 11 IDR can be found in
          Note 1452392.1

          • 2. Re: Solaris 10 & 11 Shellshock

            Tested patches listed on a few secondary servers last night, seem to work as well

            as compiling bash from source with all patches. We are deciding how to proceed

            since it's an interim patch, but will likely use Oracle patch to keep reported patch

            levels by OS tools accurate.

            • 3. Re: Solaris 10 & 11 Shellshock
              Wolfgang Ley-Oracle



              please see MOS document 1930090.1 for the available solutions:http://support.oracle.com/rs?type=doc&id=1930090.1




              • 4. Re: Solaris 10 & 11 Shellshock

                Hi folks,


                just one question:


                I am using Solaris on SPARC and X86 really for private use...... and I have no support contract.

                How do I get these patches for S10/11 ?


                I wounder if there is just a possibility by a payable supportcontract......... due this is a bug since the very first days of bash ?


                thx for answers



                • 5. Re: Solaris 10 & 11 Shellshock


                  I'm missing patch for Solaris 11.0. Why no 11.0 IDR?





                  • 6. Re: Solaris 10 & 11 Shellshock



                    Solaris 11.0 does not receive further fixes. There really is only one patch train for

                    a given Solaris minor release such as 8, 9, 10 or 11. Fixes are built from the

                    the current source tree of the given release. So normally just a fix based

                    on Solaris 11.2 would be delivered. This time some IDRs were provided for

                    the previous micro release 11.1 as well probably because that is still widely

                    used and 11.2 is relatively recent.

                    From a users point of view those updates are all just a point in time:


                    11.0 -> SRUs based on 11.0 -> 11.1 -> SRUs based on 11.1 -> 11.2 -> SRUs based on 11.2 -> ...


                    So once 11.x+1 is released we stop producing SRUs for 11.x (some overlap might happen

                    in some situations. Running 11.0 today means that the system hasn't received bug fixes

                    including security fixes for quite some time. So if you still use 11.0: Upgrade to 11.2 (or

           a.k.a. S11.2 SRU2.7 if under support contract).




                    • 7. Re: Solaris 10 & 11 Shellshock

                      I can be wrong but I'm sure you'll have to wait for the next public release to get the fix (Soaris 11.3?!).


                      Though nobody can keep you from using the patches/manifest/etc. from https://java.net/projects/solaris-userland/sources/gate/show/components/bash to create your own updated IPS pkg…

                      • 8. Re: Solaris 10 & 11 Shellshock

                        EDIT 2


                        Hi Folks


                        status for my workaround:


                        1. my workaround runs under one of our notebooks sol11.2/x86 without probs

                        /opt/csw/bin in front off all in the /etc/profile



                        first sparc system: sol10 sparc U5 , cswbash was installed years ago as standard-shell global (except root - sh), so this was just an update for the installed cswbash by


                        pkgutil -u bash


                        second sparc system sol11.1/niagara had an installed cswbash, but not using it (was coming down via pkgdepency) - anyway, I put the path of csw-bin to front and made the cswupdate, running.


                        third sparc system is a sol10zone on the sol11.1 sparc-system, installed csw-bash, procedure like the other 2 sparc systems, running



                        so the only system which has problems by using my workaround is the other sol11.2/x86 notebook. If I use there my workaround, I cannot start gnome-terminal neither xtrem etc. in the sol-GUI, remote-shell login via ssh is working, and opens a working csw-bash

                        changing the $PATHenvironment didn´t helped, so I had to switch back to the original oracle-bash :-(


                        If I am trying to start WITH workaround a gnome-terminal, it looks like gnome-terminal is coredumping, the windows opens for 1/2 sec, an closes without errormsg.







                        There are MORE vunerabilities in the bash, they talk  at least about 3 major ones .......






                        Hi raider,


                        yes, I guess this is a solution.



                        if u have installed


                        pkgutil     ( Getting started — OpenCSW 0.2014.04 documentation )

                        works very fine with x86/sparc s10/11.x

                        on opencsw there ist a patched version ready for install using pkgutil




                        open at least before you begin 2 new shells , one as role root, if something goes wrong, that u have access to the system to reedit the changes, and one as normal user.

                        have a look at http://www.opencsw.org/get-it/packages/


                        sudo pkgutil -i bash


                        just rename the original one in /usr/bin  to e.g. bash_ORIG_vunerable


                        cd /usr/bin


                        sudo rn bash bash_ORIG_vunerable




                        sudo ln -s /opt/csw/bin/bash /usr/bin/bash




                        sudo chmod -w /opt/csw/bin/bash



                        then try in a new shell


                        env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


                        should return only


                        this is a test



                        and nothing with vunerable


                        it is important to all systems which are providing ANY KIND of service to the internet (mail, ssh, ntp http ftp etc, have a look at Hackers take advantage of Bash Shellshock bug as developers rush to patch- The Inquirer )


                        hope this helps all with no CSI / contract


                        PS: I do not understand why you need for such a heavy security-bug(s) (in the opensource bash which is used and provided by oracle sol + linux) a purchaseable contract ????


                        And really we are using at home sol on 2 private samsung-notebooks (just doing things u do with a notebook) , and a old ultra 5 and a sun-fire/niagara (with 2 zones), doing all u need to do for an oceanographic studying (education as student) - NO commercial use at all.......