bash bug? AIX 6

[Michael Hertel]

My system admins tell me they need to apply a security fix to bash on AIX 6 machines.

We use ksh and tcsh mostly.

Can anyone tell me where bash would be used by Cloverleaf or underlying programs?

I’d like to perform a regression test on our non-prod box before fixing prod.

Topic

[Rob Lindsey]

I know of no place. I have checked my systems and  bash  is not loaded anywhere.  I ran the standard test to see if vulnerable and mine are not.

Rob

[Michael Hertel]

Thanks for checking Rob.

[Robert Kersemakers]

I heard about this yesterday from the guy installing our new CL60/Linux system. It’s a bash exploit, meaning others can inject code through bash. Execute this on your command prompt:

Code:

env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”

If it says ‘vulnerable’, then you need to patch your system.

Zuyderland Medisch Centrum; Heerlen/Sittard; The Netherlands

[Yves Guerin]

Dear,

On our AIX 6.1 machine we have bash installed so I wanted to know which software need it:

Code:

rpm -q –whatrequires bash
info-4.13a-1
autoconf-2.63-1

So reverse confirmation:

Code:

rpm -qR autoconf
m4 >= 1.4.7
/sbin/install-info  
info  
==> bash <==
/bin/sh  
/bin/sh  
/usr/bin/perl

And

Code:

rpm -qR info
==> bash  = 0.17
/bin/sh  
libc.a(shr.o)  
libcurses.a(shr42.o)  
libintl.a(libintl.so.8)  
libpthread.a(shr_comm.o)  
libpthread.a(shr_xpg5.o)  

So, you can remove the bash entry from

Quote:

/etc/shells

and change the permission to deactivate the execution bit (with root account):

Code:

chmod guo-x `which bash`

 😆

[Max Drown (Infor)]

Bash is the default shell for RedHat Linux.

-- Max Drown (Infor)

[Author]

Replies