about bash and Debian Lenny

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|

about bash and Debian Lenny

Nikolay Hristov
Hello there,

I know that this is outdated debian release and it is in the archives
but I still have 6 servers running Lenny and I don't want to upgrade
them to newer versions for several reasons.
Any chance that we will get official debian package for Lenny? I'm sure
that I'm not the only one with such problem. I don't want to use deb
packages from different sources because I cannot trust them.

Shellshock has such big impact on the internet so please give us Lenny
package.

Nikolay Hristov



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/542BE551.3020005@...

Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Alberto Gonzalez Iniesta
On Wed, Oct 01, 2014 at 02:28:17PM +0300, Nikolay Hristov wrote:

> Hello there,
>
> I know that this is outdated debian release and it is in the archives but I
> still have 6 servers running Lenny and I don't want to upgrade them to newer
> versions for several reasons.
> Any chance that we will get official debian package for Lenny? I'm sure that
> I'm not the only one with such problem. I don't want to use deb packages
> from different sources because I cannot trust them.
>
> Shellshock has such big impact on the internet so please give us Lenny
> package.

Not "official", but from know source:
http://ftp.linux.it/pub/People/md/bash/

--
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: [hidden email] | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/20141001113619.GL31276@...

Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Izak Burger
In reply to this post by Nikolay Hristov
I made lenny packages for my machines. I could share them if you want?

On Wed, Oct 1, 2014 at 1:28 PM, Nikolay Hristov <[hidden email]> wrote:
Hello there,

I know that this is outdated debian release and it is in the archives but I still have 6 servers running Lenny and I don't want to upgrade them to newer versions for several reasons.
Any chance that we will get official debian package for Lenny? I'm sure that I'm not the only one with such problem. I don't want to use deb packages from different sources because I cannot trust them.

Shellshock has such big impact on the internet so please give us Lenny package.

Nikolay Hristov



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/542BE551.3020005@...


Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Nikolay Hristov
On 10/01/2014 02:37 PM, Izak Burger wrote:
I made lenny packages for my machines. I could share them if you want?

On Wed, Oct 1, 2014 at 1:28 PM, Nikolay Hristov <[hidden email]> wrote:
Hello there,

I know that this is outdated debian release and it is in the archives but I still have 6 servers running Lenny and I don't want to upgrade them to newer versions for several reasons.
Any chance that we will get official debian package for Lenny? I'm sure that I'm not the only one with such problem. I don't want to use deb packages from different sources because I cannot trust them.

Shellshock has such big impact on the internet so please give us Lenny package.

Nikolay Hristov



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/542BE551.3020005@...


Which part of "I don't want to use deb packages from different sources because I cannot trust them" you didnt understand? ;-)

Nikolay Hristov
Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Konstantin Khomoutov
On Wed, 1 Oct 2014 14:45:55 +0300
Nikolay Hristov <[hidden email]> wrote:

> > I made lenny packages for my machines. I could share them if you
> > want?
[...]
> Which part of "I don't want to use deb packages from different
> sources because I cannot trust them" you didnt understand? ;-)

Still, when someone offers their help there really is no need
to play a smart ass as you did.  The only thing you might achieve doing
that is a) direct rebuttals (my e-mail) and b) mild propositions to
build patched packages yourself.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/20141001155857.039ea736d8e6e1d4b481b3c4@...

Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

David Dejaeghere
In reply to this post by Nikolay Hristov
What part of:
"Debian GNU/Linux 5.0 has been superseded by Debian 6.0 ("squeeze"). Security updates have been discontinued as of February 6th, 2012. "
http://www.debian.org/releases/lenny/index.en.html
, didnt you understand? :)

There are much more security issues than shellshock alone with Debian Lenny in its current state. If you need to secure your old boxes you will have to look for alternative methods outside of supported packages.  Think about improved firewalling. 
What attack vectors of the shellshock exploit are worrying to you?

Regards,

David





2014-10-01 13:45 GMT+02:00 Nikolay Hristov <[hidden email]>:
On 10/01/2014 02:37 PM, Izak Burger wrote:
I made lenny packages for my machines. I could share them if you want?

On Wed, Oct 1, 2014 at 1:28 PM, Nikolay Hristov <[hidden email]> wrote:
Hello there,

I know that this is outdated debian release and it is in the archives but I still have 6 servers running Lenny and I don't want to upgrade them to newer versions for several reasons.
Any chance that we will get official debian package for Lenny? I'm sure that I'm not the only one with such problem. I don't want to use deb packages from different sources because I cannot trust them.

Shellshock has such big impact on the internet so please give us Lenny package.

Nikolay Hristov



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/542BE551.3020005@...


Which part of "I don't want to use deb packages from different sources because I cannot trust them" you didnt understand? ;-)

Nikolay Hristov

Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Nikolay Hristov
On 10/01/2014 02:59 PM, David Dejaeghere wrote:
What part of:
"Debian GNU/Linux 5.0 has been superseded by Debian 6.0 ("squeeze"). Security updates have been discontinued as of February 6th, 2012. "
http://www.debian.org/releases/lenny/index.en.html
, didnt you understand? :)

There are much more security issues than shellshock alone with Debian Lenny in its current state. If you need to secure your old boxes you will have to look for alternative methods outside of supported packages.  Think about improved firewalling. 
What attack vectors of the shellshock exploit are worrying to you?

Regards,

David





2014-10-01 13:45 GMT+02:00 Nikolay Hristov <[hidden email]>:
On 10/01/2014 02:37 PM, Izak Burger wrote:
I made lenny packages for my machines. I could share them if you want?

On Wed, Oct 1, 2014 at 1:28 PM, Nikolay Hristov <[hidden email]> wrote:
Hello there,

I know that this is outdated debian release and it is in the archives but I still have 6 servers running Lenny and I don't want to upgrade them to newer versions for several reasons.
Any chance that we will get official debian package for Lenny? I'm sure that I'm not the only one with such problem. I don't want to use deb packages from different sources because I cannot trust them.

Shellshock has such big impact on the internet so please give us Lenny package.

Nikolay Hristov



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/542BE551.3020005@...


Which part of "I don't want to use deb packages from different sources because I cannot trust them" you didnt understand? ;-)

Nikolay Hristov

I got only qmail on them and that is all. No other ports opened and daemontools uses bash. Some of them are also running tinydns. I can try change default shell to dash but the servers are not at my location and I will need to travel a lot if something goes wrong. In other words we need security update for older debian distributions.

Nikolay Hristov
Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Izak Burger
In reply to this post by Konstantin Khomoutov
Still, when someone offers their help there really is no need
to play a smart ass as you did.  The only thing you might achieve doing
that is a) direct rebuttals (my e-mail) and b) mild propositions to
build patched packages yourself.

Admittedly I didn't read the email as properly as I should have, and he did add the relevant emoticon, so no worries.

Rolling your own is remarkably easy. Someone suggested this "gist", which I didn't use, but it gave me the info for the patches:


I then made a lenny chroot, noticed it already had all the patches up to 39, so I downloaded 40 thru 54, copied the dpatch shell stuff at the top of the existing patches to each of the new ones, added them to the relevant variable in debian/rules, and built the package. Built cleanly no problem.

I actually forgot to update debian/changelog, so my package are sort of rubbish anyway.
Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Nikolay Hristov
In reply to this post by Konstantin Khomoutov
On 10/01/2014 02:58 PM, Konstantin Khomoutov wrote:

> On Wed, 1 Oct 2014 14:45:55 +0300
> Nikolay Hristov <[hidden email]> wrote:
>
>>> I made lenny packages for my machines. I could share them if you
>>> want?
> [...]
>> Which part of "I don't want to use deb packages from different
>> sources because I cannot trust them" you didnt understand? ;-)
> Still, when someone offers their help there really is no need
> to play a smart ass as you did.  The only thing you might achieve doing
> that is a) direct rebuttals (my e-mail) and b) mild propositions to
> build patched packages yourself.
Yes you are right but what if the person offering me help is someone who
wants to take advantage of me.
No offence but do you trust everyone who offers help to you?

Nikolay Hristov


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/542BEE2B.3020007@...

Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

David Dejaeghere
With Qmail exposed and being an attack vector I would advice to build your own updated bash package.
You wont get official security updates.

2014-10-01 14:06 GMT+02:00 Nikolay Hristov <[hidden email]>:
On 10/01/2014 02:58 PM, Konstantin Khomoutov wrote:
On Wed, 1 Oct 2014 14:45:55 +0300
Nikolay Hristov <[hidden email]> wrote:

I made lenny packages for my machines. I could share them if you
want?
[...]
Which part of "I don't want to use deb packages from different
sources because I cannot trust them" you didnt understand? ;-)
Still, when someone offers their help there really is no need
to play a smart ass as you did.  The only thing you might achieve doing
that is a) direct rebuttals (my e-mail) and b) mild propositions to
build patched packages yourself.
Yes you are right but what if the person offering me help is someone who wants to take advantage of me.
No offence but do you trust everyone who offers help to you?

Nikolay Hristov


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/542BEE2B.3020007@...


Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

David Dejaeghere
Also about not thrusting people, you are sending to this list with your company email address and tell everyone here you have an exploitable qmail setup running. Be carefull with the information you make public.

Regards,

David

2014-10-01 14:17 GMT+02:00 David Dejaeghere <[hidden email]>:
With Qmail exposed and being an attack vector I would advice to build your own updated bash package.
You wont get official security updates.

2014-10-01 14:06 GMT+02:00 Nikolay Hristov <[hidden email]>:
On 10/01/2014 02:58 PM, Konstantin Khomoutov wrote:
On Wed, 1 Oct 2014 14:45:55 +0300
Nikolay Hristov <[hidden email]> wrote:

I made lenny packages for my machines. I could share them if you
want?
[...]
Which part of "I don't want to use deb packages from different
sources because I cannot trust them" you didnt understand? ;-)
Still, when someone offers their help there really is no need
to play a smart ass as you did.  The only thing you might achieve doing
that is a) direct rebuttals (my e-mail) and b) mild propositions to
build patched packages yourself.
Yes you are right but what if the person offering me help is someone who wants to take advantage of me.
No offence but do you trust everyone who offers help to you?

Nikolay Hristov


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/542BEE2B.3020007@...



Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Jens Schüßler-2
In reply to this post by Nikolay Hristov
* Nikolay Hristov <[hidden email]> wrote:

> On 10/01/2014 02:58 PM, Konstantin Khomoutov wrote:
> >On Wed, 1 Oct 2014 14:45:55 +0300
> >Nikolay Hristov <[hidden email]> wrote:
> >
> >>>I made lenny packages for my machines. I could share them if you
> >>>want?
> >[...]
> >>Which part of "I don't want to use deb packages from different
> >>sources because I cannot trust them" you didnt understand? ;-)
> >Still, when someone offers their help there really is no need
> >to play a smart ass as you did.  The only thing you might achieve doing
> >that is a) direct rebuttals (my e-mail) and b) mild propositions to
> >build patched packages yourself.
> Yes you are right but what if the person offering me help is someone
> who wants to take advantage of me.
> No offence but do you trust everyone who offers help to you?

But you know *you* asked for help here, but you don't trust people who
offer help....
And btw. if you so carefull on trust and security, you maybe should
consider not to run 6 servers on a release whose security support ended
some ice ages ago. Or at least be able to backport your own packages for
these machines.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/20141001122208.GA31219@...

Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Yves-Alexis Perez-2
In reply to this post by Nikolay Hristov
On mer., 2014-10-01 at 15:03 +0300, Nikolay Hristov wrote:
> In other words we
> need security update for older debian distributions.

That won't happen.
--
Yves-Alexis Perez - Debian Security



signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Paul Wise via nm
In reply to this post by Nikolay Hristov
On Wed, Oct 1, 2014 at 7:28 PM, Nikolay Hristov wrote:

> I still have 6 servers running Lenny and I don't want to upgrade them to newer
> versions for several reasons.

Could you mention these on the list? If so perhaps we can provide some
advice. If not perhaps you can find a Debian consultant who is willing
to help you upgrade these systems to a reported release:

https://www.debian.org/consultants/

--
bye,
pabs

https://wiki.debian.org/PaulWise


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/CAKTje6FjQFRNvxvkte2nu6r2VS8ikiSv8CtViwGDhs0AyeLUgw@...

Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Carlos Alberto Lopez Perez
In reply to this post by Nikolay Hristov
On 01/10/14 13:28, Nikolay Hristov wrote:

> Hello there,
>
> I know that this is outdated debian release and it is in the archives
> but I still have 6 servers running Lenny and I don't want to upgrade
> them to newer versions for several reasons.
> Any chance that we will get official debian package for Lenny? I'm sure
> that I'm not the only one with such problem. I don't want to use deb
> packages from different sources because I cannot trust them.
>
> Shellshock has such big impact on the internet so please give us Lenny
> package.
>
> Nikolay Hristov
>
>
>
I have built patched packages for lenny. You can download them from here:

http://people.igalia.com/clopez/bash-shellshock-lenny/

If you are not willing to use the binaries, you can rebuild it from the
sources that I also made available.


signature.asc (901 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Jann Horn-3
In reply to this post by Nikolay Hristov
On Wed, Oct 01, 2014 at 02:28:17PM +0300, Nikolay Hristov wrote:

> Hello there,
>
> I know that this is outdated debian release and it is in the archives but I
> still have 6 servers running Lenny and I don't want to upgrade them to newer
> versions for several reasons.
> Any chance that we will get official debian package for Lenny? I'm sure that
> I'm not the only one with such problem. I don't want to use deb packages
> from different sources because I cannot trust them.
>
> Shellshock has such big impact on the internet so please give us Lenny
> package.
You're doing this the wrong way - as others have already said, upgrade your
server to a supported release.

That said... have a look at this thread on oss-security for some suggestions
of easy-to-understand binary patches that will remove the vulnerable feature:

http://www.openwall.com/lists/oss-security/2014/09/29/1
http://www.openwall.com/lists/oss-security/2014/09/29/6

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Paul Wise via nm
On Thu, Oct 2, 2014 at 1:37 AM, Jann Horn wrote:

> You're doing this the wrong way - as others have already said, upgrade your
> server to a supported release.

Based on our off-list discussions, Nikolay has valid reasons for not upgrading.

--
bye,
pabs

https://wiki.debian.org/PaulWise


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/CAKTje6FjQ59qEgxLKdgo0fN0RrdVW0ZV8RK3=LJ1shK9fdw-Ag@...

Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Andrea Zwirner
Paul Wise <[hidden email]> wrote:
> On Thu, Oct 2, 2014 at 1:37 AM, Jann Horn wrote:
>
> > You're doing this the wrong way - as others have already said, upgrade your
> > server to a supported release.
>
> Based on our off-list discussions, Nikolay has valid reasons for not upgrading.
>
Oh dear! Pabs, now you've made bursting with curiosity the whole list!

Bye,
    A.


Sent from my Sylpheed


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/20141002095810.515e684e76b4578fb26b08a8@...

Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Steve Kemp-4
In reply to this post by Nikolay Hristov
> Shellshock has such big impact on the internet so please give us Lenny
> package.

  You need to remember that Debian is a project staffed by volunteers,
 some of whom have already offered packages.  If you cannot trust random
 binaries then the patches are available.

  If you do have a legitimate reason for not upgrading, then your
 choices are few - and largely consist of:

    * Rolling your own packages, via the public patches, which you will
      then trust.

    * Finding somebody trustworthy.

    * Upgrading.

  My personal response to somebody requesting newer updates has got to
 be "What is your budget?"..


Steve
--
http://www.steve.org.uk/
Reply | Threaded
Open this post in threaded view
|

Re: about bash and Debian Lenny

Marko Randjelovic-6
In reply to this post by Carlos Alberto Lopez Perez
On Wed, 01 Oct 2014 17:30:11 +0200
Carlos Alberto Lopez Perez <[hidden email]> wrote:

> On 01/10/14 13:28, Nikolay Hristov wrote:
> > Hello there,
> >
> > I know that this is outdated debian release and it is in the archives
> > but I still have 6 servers running Lenny and I don't want to upgrade
> > them to newer versions for several reasons.
> > Any chance that we will get official debian package for Lenny? I'm sure
> > that I'm not the only one with such problem. I don't want to use deb
> > packages from different sources because I cannot trust them.
> >
> > Shellshock has such big impact on the internet so please give us Lenny
> > package.
> >
> > Nikolay Hristov
> >
> >
> >
>
> I have built patched packages for lenny. You can download them from here:
>
> http://people.igalia.com/clopez/bash-shellshock-lenny/
>
> If you are not willing to use the binaries, you can rebuild it from the
> sources that I also made available.
>
Why is your bash_3.2-4+deb5u1.dsc gziped?

--
http://markorandjelovic.hopto.org

One should not be afraid of humans.
Well, I am not afraid of humans, but of what is inhuman in them.
    Ivo Andric, "Signs near the travel-road"

signature.asc (817 bytes) Download Attachment
12