BeagleBoard bash flaw

The bash flaw is there, does anyone have information on a fix yet?

http://securitywatch.pcmag.com/internet/327769-serious-bash-flaw-lets-attackers-hijack-linux-and-mac-computers

Mark

It should come down the security repo:

sudo apt-get update
sudo apt-get upgrade

see:
https://packages.qa.debian.org/b/bash.html

Regards,

As already noted the fix is already in the repositories.

However the vulnerability is only a risk to a BBB which has some sort
of access open to the internet. If your BBB is on a LAN behind a NAT
router and you don't have any ports open and redirected to the BBB
then your BBB isn't at risk even if not patched yet.

Unless the router dhcp daemon gets compromised:

https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

... and it runs bash, which is unlikely. Anyway, why is the router's
DHCP going to talk to the outside?

My company has it setup.

Mark

apt-get update && apt-get upgrade problem solved.

Doesn’t BeagleBoard use busybox bash which doesn’t even have the flaw?

Starting with the BBB rev c, the factory image is based on Debian. This we use real bash…

Not to step on Roberts toes or anything but technically Debian comes with with dash configured. Whether or not there is something done after the fact I do not know. As I have pretty much been using my own custom rootfs based on Roberts build instructions since last year. Also I am not sue if what effects bash effects dash too but . . .

However all it takes is one command dpkg-reconfigure dash → select no and all bets are off.

In debian, bash is still considered "essential" therefor it's always
installed. By default "dash" takes over /bin/sh

There's a todo here:

https://wiki.debian.org/Proposals/RemoveBashFromEssential

Regards,