bash update tips for legacy SL4.x for shellshock vulnerability

Discussion:

Takashi ichihara

2014-10-02 11:12:26 UTC

Hi,

A few SL4.x nodes still exit in our Lab. which will be retired
soon. Following is a tips to update bash of legacy SL4.x for
shellshock vulnerability. (Note: support of SL4.x was ended in 2011)

bash update tips for legacy SL4.x for shellshock vulnerability
Ref.
https://www.centos.org/forums/viewtopic.php?f=10&t=48643

On SL4.4-4.9 (i386 or x86_64), try as follows (at your own risk)
mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo "%_topdir /root/rpmbuild/" > /root/.rpmmacros
rpm -Uvh http://ftp1.scientificlinux.org/linux/scientific/obsolete/4x/SRPMS/vendor/bash-3.0-27.el4.src.rpm
cd /root/rpmbuild/SOURCES/
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-018
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-019
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-020
# edit bash30-017 and change any reference to 3.0.16 to just 3.0
cd /root/rpmbuild/SPECS/
# edit /root/rpmbuild/SPECS/bash.spec
# 1) uncomment the line %patch16 -p0 -b .016
# 2) edit this line (it is line 4):
# Release: 27%{?dist}.1
# 3) and add where appropriate
# %patch17 -p0 -b .017
# %patch18 -p0 -b .018
# %patch19 -p0 -b .019
# %patch20 -p0 -b .020
# Patch17: bash30-017
# Patch18: bash30-018
# Patch19: bash30-019
# Patch20: bash30-020
rpmbuild -ba bash.spec
# wait to see if it completes cleanly, may take several minutes
# update bash
rpm -Fvh /root/rpmbuild/RPMS/i386/bash-3.0-27.1.i386.rpm or
rpm -Fvh /root/rpmbuild/RPMS/x86_64/bash-3.0-27.1.x86_64.rpm

Of course, it should be better to update to SL5/6/7 and
apply patches (yum update).

Best regards
Takashi Ichihara

Kaj Niemi

2014-10-02 11:28:22 UTC

Permalink

Hi,

If you're ok with going to a newer bash in your EL4 environment you can rebuild the one from EL5, it will work as a drop-in replacement.

HTH

Kaj

> On 02 Oct 2014, at 14:12, Takashi ichihara <ichihara-RjkA+v3I/EZiOqLXfVUs/***@public.gmane.org> wrote:
>
> Hi,
>
> A few SL4.x nodes still exit in our Lab. which will be retired
> soon. Following is a tips to update bash of legacy SL4.x for
> shellshock vulnerability. (Note: support of SL4.x was ended in 2011)
>
> bash update tips for legacy SL4.x for shellshock vulnerability
> Ref.
> https://www.centos.org/forums/viewtopic.php?f=10&t=48643
>
> On SL4.4-4.9 (i386 or x86_64), try as follows (at your own risk)
> mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
> echo "%_topdir /root/rpmbuild/" > /root/.rpmmacros
> rpm -Uvh http://ftp1.scientificlinux.org/linux/scientific/obsolete/4x/SRPMS/vendor/bash-3.0-27.el4.src.rpm
> cd /root/rpmbuild/SOURCES/
> wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
> wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-018
> wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-019
> wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-020
> # edit bash30-017 and change any reference to 3.0.16 to just 3.0
> cd /root/rpmbuild/SPECS/
> # edit /root/rpmbuild/SPECS/bash.spec
> # 1) uncomment the line %patch16 -p0 -b .016
> # 2) edit this line (it is line 4):
> # Release: 27%{?dist}.1
> # 3) and add where appropriate
> # %patch17 -p0 -b .017
> # %patch18 -p0 -b .018
> # %patch19 -p0 -b .019
> # %patch20 -p0 -b .020
> # Patch17: bash30-017
> # Patch18: bash30-018
> # Patch19: bash30-019
> # Patch20: bash30-020
> rpmbuild -ba bash.spec
> # wait to see if it completes cleanly, may take several minutes
> # update bash
> rpm -Fvh /root/rpmbuild/RPMS/i386/bash-3.0-27.1.i386.rpm or
> rpm -Fvh /root/rpmbuild/RPMS/x86_64/bash-3.0-27.1.x86_64.rpm
>
> Of course, it should be better to update to SL5/6/7 and
> apply patches (yum update).
>
> Best regards
> Takashi Ichihara

Takashi ichihara

2014-10-07 08:30:05 UTC

Permalink

Hi,

Two new patches have been released after my post on Oct. 2 as
can be found at http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/
bash30-021 02-Oct-2014 22:15 1.7K
bash30-022 05-Oct-2014 19:02 3.4K

(Also for bash-3.1, 3.2, 4.0, 4.1, 4.2, 4.3, totally
six patches have been released for each version so far
for shellshock vulnerability.

regards,
Takashi

On 2014/10/02 20:28, Kaj Niemi wrote:
> Hi,
>
> If you're ok with going to a newer bash in your EL4 environment you can rebuild the one from EL5, it will work as a drop-in replacement.
>
>
> HTH
>
>
> Kaj
>
>
>> On 02 Oct 2014, at 14:12, Takashi ichihara <ichihara-RjkA+v3I/EZiOqLXfVUs/***@public.gmane.org> wrote:
>>
>> Hi,
>>
>> A few SL4.x nodes still exit in our Lab. which will be retired
>> soon. Following is a tips to update bash of legacy SL4.x for
>> shellshock vulnerability. (Note: support of SL4.x was ended in 2011)
>>
>> bash update tips for legacy SL4.x for shellshock vulnerability
>> Ref.
>> https://www.centos.org/forums/viewtopic.php?f=10&t=48643
>>
>> On SL4.4-4.9 (i386 or x86_64), try as follows (at your own risk)
>> mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
>> echo "%_topdir /root/rpmbuild/" > /root/.rpmmacros
>> rpm -Uvh http://ftp1.scientificlinux.org/linux/scientific/obsolete/4x/SRPMS/vendor/bash-3.0-27.el4.src.rpm
>> cd /root/rpmbuild/SOURCES/
>> wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
>> wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-018
>> wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-019
>> wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-020
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-021
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-022
>> # edit bash30-017 and change any reference to 3.0.16 to just 3.0 <- can be omitted.
>> cd /root/rpmbuild/SPECS/
>> # edit /root/rpmbuild/SPECS/bash.spec
>> # 1) uncomment the line %patch16 -p0 -b .016
>> # 2) edit this line (it is line 4):
>> # Release: 27%{?dist}.22
>> # 3) and add where appropriate
>> # %patch17 -p0 -b .017
>> # %patch18 -p0 -b .018
>> # %patch19 -p0 -b .019
>> # %patch20 -p0 -b .020
# %patch21 -p0 -b .021
# %patch22 -p0 -b .022
>> # Patch17: bash30-017
>> # Patch18: bash30-018
>> # Patch19: bash30-019
>> # Patch20: bash30-020
# Patch21: bash30-021
# Patch22: bash30-022
>> rpmbuild -ba bash.spec
>> # wait to see if it completes cleanly, may take several minutes
>> # update bash
>> rpm -Fvh /root/rpmbuild/RPMS/i386/bash-3.0-27.1.i386.rpm or
>> rpm -Fvh /root/rpmbuild/RPMS/x86_64/bash-3.0-27.1.x86_64.rpm
>>
>> Of course, it should be better to update to SL5/6/7 and
>> apply patches (yum update).
>>
>> Best regards
>> Takashi Ichihara

Allen Wilkinson

2014-10-07 11:55:42 UTC

Permalink

I could use help on the SUBJECT problem.

This is for an old laptop that uses the ipw2200 wifi driver.
It assigns the wifi to eth1.

eth0 for wired Ethernet is active okay, and I want eth1 active at the same
time.

ifup eth1 seems to only allow WEP keys successfully.
NetworkManager never seems to connect at run level 3 using WPA for any
configuration that I can figure out. nm-tool does show WPA should be
possible.

Thank you for any help, Allen
----
Address:

Allen Wilkinson (cell) (216) 548-2349
1286 Yellowstone Road
Cleveland Heights, OH 44121 USA (INTERNET) aw(at)chaff(dot)biz
+++++++

David Sommerseth

2014-10-07 23:38:51 UTC

Permalink

On 07/10/14 13:55, Allen Wilkinson wrote:
> I could use help on the SUBJECT problem.
>
> This is for an old laptop that uses the ipw2200 wifi driver.
> It assigns the wifi to eth1.
>
> eth0 for wired Ethernet is active okay, and I want eth1 active at the
> same time.
>
> ifup eth1 seems to only allow WEP keys successfully.
> NetworkManager never seems to connect at run level 3 using WPA for any
> configuration that I can figure out. nm-tool does show WPA should be
> possible.
>

Hi Allen,

If you already have configured the network connections using
NetworkManager, it should be fairly possible to start the wireless
network using 'nmcli'. That's a command line tool for Network Manager.

You most likely need to play around with 'nmcli con'. F.ex. I have a
wirelss config called 'home'. So to connect from the command line, I do
this:

[***@host:~] $ nmcli con up id home

I'll admit, it's a long time since I played with EL5, so it might not be
fully supported. But on EL6 and newer, this is possible.

--
kind regards,

David Sommerseth

Allen Wilkinson

2014-10-08 02:30:50 UTC

Permalink

David,

Key question is how do I configure network connections with NetworkManager
from the command line?

Thanks, Allen
----
Address:

Allen Wilkinson (cell) (216) 548-2349
1286 Yellowstone Road
Cleveland Heights, OH 44121 USA (INTERNET) aw(at)chaff(dot)biz
+++++++

On Wed, 8 Oct 2014, David Sommerseth wrote:

> On 07/10/14 13:55, Allen Wilkinson wrote:
>> I could use help on the SUBJECT problem.
>>
>> This is for an old laptop that uses the ipw2200 wifi driver.
>> It assigns the wifi to eth1.
>>
>> eth0 for wired Ethernet is active okay, and I want eth1 active at the
>> same time.
>>
>> ifup eth1 seems to only allow WEP keys successfully.
>> NetworkManager never seems to connect at run level 3 using WPA for any
>> configuration that I can figure out. nm-tool does show WPA should be
>> possible.
>>
>
> Hi Allen,
>
> If you already have configured the network connections using
> NetworkManager, it should be fairly possible to start the wireless
> network using 'nmcli'. That's a command line tool for Network Manager.
>
> You most likely need to play around with 'nmcli con'. F.ex. I have a
> wirelss config called 'home'. So to connect from the command line, I do
> this:
>
> [***@host:~] $ nmcli con up id home
>
> I'll admit, it's a long time since I played with EL5, so it might not be
> fully supported. But on EL6 and newer, this is possible.
>
>
> --
> kind regards,
>
> David Sommerseth
>

David Sommerseth

2014-10-08 10:11:44 UTC

Permalink

On 08/10/14 04:30, Allen Wilkinson wrote:
> David,
>
> Key question is how do I configure network connections with
> NetworkManager from the command line?

Ahh! I see. IIRC, nmcli in EL5 does not support that. I believe there
is some support for it in EL6 and even more in EL7. But for EL5, I
believe you need to dig into the configuration files in /etc/NetworkManager.

I'm sorry, I have only two production boxes left with EL5, and neither
of them use NetworkManager, so it's hard for me to point you further.

--
kind regards,

David Sommerseth

> On Wed, 8 Oct 2014, David Sommerseth wrote:
>
>> On 07/10/14 13:55, Allen Wilkinson wrote:
>>> I could use help on the SUBJECT problem.
>>>
>>> This is for an old laptop that uses the ipw2200 wifi driver.
>>> It assigns the wifi to eth1.
>>>
>>> eth0 for wired Ethernet is active okay, and I want eth1 active at the
>>> same time.
>>>
>>> ifup eth1 seems to only allow WEP keys successfully.
>>> NetworkManager never seems to connect at run level 3 using WPA for any
>>> configuration that I can figure out. nm-tool does show WPA should be
>>> possible.
>>>
>>
>> Hi Allen,
>>
>> If you already have configured the network connections using
>> NetworkManager, it should be fairly possible to start the wireless
>> network using 'nmcli'. That's a command line tool for Network Manager.
>>
>> You most likely need to play around with 'nmcli con'. F.ex. I have a
>> wirelss config called 'home'. So to connect from the command line, I do
>> this:
>>
>> [***@host:~] $ nmcli con up id home
>>
>> I'll admit, it's a long time since I played with EL5, so it might not be
>> fully supported. But on EL6 and newer, this is possible.
>>
>>
>> --
>> kind regards,
>>
>> David Sommerseth
>>

Stephan Mattecka

2014-10-09 10:30:27 UTC

Permalink

<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>Hi Allen,</div>

<div> </div>

<div>maybe you should use wpa_supplicant. I tried this some time ago (at SL 6.4) and it worked on runlevel 3. You can find a HowTo at http://wiki.centos.org/HowTos/Laptops/WpaSupplicant</div>

<div> </div>

<div>I'm not sure if it works with SL 5.5 but it should be worth a try.</div>

<div> </div>

<div>Regards</div>

<div>Stephan</div>

<div> 
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Gesendet:</b> Mittwoch, 08. Oktober 2014 um 12:11 Uhr<br/>
<b>Von:</b> "David Sommerseth" <sl+users-***@public.gmane.org><br/>
<b>An:</b> "Allen Wilkinson" <aw-***@public.gmane.org><br/>
<b>Cc:</b> SCIENTIFIC-LINUX-USERS <SCIENTIFIC-LINUX-USERS-JX7+OpRa80ThqTqF3KRMt/***@public.gmane.org><br/>
<b>Betreff:</b> Re: How to do WPA wifi authentication at run level 3 on SL 5.5 ?</div>

<div name="quoted-content">On 08/10/14 04:30, Allen Wilkinson wrote:<br/>
> David,<br/>
><br/>
> Key question is how do I configure network connections with<br/>
> NetworkManager from the command line?<br/>
<br/>
Ahh! I see. IIRC, nmcli in EL5 does not support that. I believe there<br/>
is some support for it in EL6 and even more in EL7. But for EL5, I<br/>
believe you need to dig into the configuration files in /etc/NetworkManager.<br/>
<br/>
I'm sorry, I have only two production boxes left with EL5, and neither<br/>
of them use NetworkManager, so it's hard for me to point you further.<br/>
<br/>
--<br/>
kind regards,<br/>
<br/>
David Sommerseth<br/>
<br/>
<br/>
<br/>
> On Wed, 8 Oct 2014, David Sommerseth wrote:<br/>
><br/>
>> On 07/10/14 13:55, Allen Wilkinson wrote:<br/>
>>> I could use help on the SUBJECT problem.<br/>
>>><br/>
>>> This is for an old laptop that uses the ipw2200 wifi driver.<br/>
>>> It assigns the wifi to eth1.<br/>
>>><br/>
>>> eth0 for wired Ethernet is active okay, and I want eth1 active at the<br/>
>>> same time.<br/>
>>><br/>
>>> ifup eth1 seems to only allow WEP keys successfully.<br/>
>>> NetworkManager never seems to connect at run level 3 using WPA for any<br/>
>>> configuration that I can figure out. nm-tool does show WPA should be<br/>
>>> possible.<br/>
>>><br/>
>><br/>
>> Hi Allen,<br/>
>><br/>
>> If you already have configured the network connections using<br/>
>> NetworkManager, it should be fairly possible to start the wireless<br/>
>> network using 'nmcli'. That's a command line tool for Network Manager.<br/>
>><br/>
>> You most likely need to play around with 'nmcli con'. F.ex. I have a<br/>
>> wirelss config called 'home'. So to connect from the command line, I do<br/>
>> this:<br/>
>><br/>
>> [***@host:~] $ nmcli con up id home<br/>
>><br/>
>> I'll admit, it's a long time since I played with EL5, so it might not be<br/>
>> fully supported. But on EL6 and newer, this is possible.<br/>
>><br/>
>><br/>
>> --<br/>
>> kind regards,<br/>
>><br/>
>> David Sommerseth<br/>
>></div>
</div>
</div>
</div></div></body></html>

David G.Miller

2014-10-09 05:30:58 UTC

Permalink

Allen Wilkinson <***@...> writes:

>
> David,
>
> Key question is how do I configure network connections with NetworkManager
> from the command line?
>
<SNIP>
Probably not the answer you want to hear but you don't with EL5 and earlier.

It is possible to work directly with the appropriate configuration files like
we did in the "good old days" before NetworkMangler. There were some
reasonably good how-tos that I followed to get WiFi working on my laptop back
in 2005. Getting the original how-to is probably much better than me trying
to remember what I did.

Cheers,
Dave

Nico Kadel-Garcia

2014-10-09 06:01:53 UTC

Permalink

On Thu, Oct 9, 2014 at 1:30 AM, David G.Miller <dave-***@public.gmane.org> wrote:
> Allen Wilkinson <***@...> writes:
>
>>
>> David,
>>
>> Key question is how do I configure network connections with NetworkManager
>> from the command line?
>>
> <SNIP>
> Probably not the answer you want to hear but you don't with EL5 and earlier.
>
> It is possible to work directly with the appropriate configuration files like
> we did in the "good old days" before NetworkMangler. There were some
> reasonably good how-tos that I followed to get WiFi working on my laptop back
> in 2005. Getting the original how-to is probably much better than me trying
> to remember what I did.

It also tends to be far more flexible, consistent, and reliable than
letting NetworkManager anywhere *near* your configuraiton files. The
only uses I've found for NetworkManager are for VPN systems, which are
awkward to disalbe and reset from the command line, But setting up
pair bonding, tagged VLAN's,and bridged devices for KVM are only a few
of the problems that are better solved thorugh direct command line
access.

David Sommerseth

2014-10-09 09:45:49 UTC

Permalink

On 09/10/14 07:30, David G.Miller wrote:
> Allen Wilkinson <***@...> writes:
>
>>
>> David,
>>
>> Key question is how do I configure network connections with NetworkManager
>> from the command line?
>>
> <SNIP>
> Probably not the answer you want to hear but you don't with EL5 and earlier.
>
> It is possible to work directly with the appropriate configuration files like
> we did in the "good old days" before NetworkMangler. There were some
> reasonably good how-tos that I followed to get WiFi working on my laptop back
> in 2005. Getting the original how-to is probably much better than me trying
> to remember what I did.

Actually when you mention it now ... there is this wpa_supplicant which
does the WPA configuration. I did this many years ago when I ran
Gentoo, long before NetworkManager came along. IIRC, NetworkManager
uses wpa_supplicant under the hood even nowadays.

This might provide some better clues on the wpa_supplicant config files:
http://wiki.centos.org/HowTos/Laptops/WpaSupplicant
http://wiki.gentoo.org/wiki/Wpa_supplicant#WPA2_with_wpa_supplicant

--
kind regards,

David Sommerseth

David G. Miller

2014-10-10 05:00:57 UTC

Permalink

Hi Dave -

I remember dealing with wpa_supplicant back in the day. Hopefully,
Allen can make use of the how-tos you found.

Cheers,
Dave

On 10/09/2014 03:45 AM, David Sommerseth wrote:
> On 09/10/14 07:30, David G.Miller wrote:
>> Allen Wilkinson <***@...> writes:
>>
>>> David,
>>>
>>> Key question is how do I configure network connections with NetworkManager
>>> from the command line?
>>>
>> <SNIP>
>> Probably not the answer you want to hear but you don't with EL5 and earlier.
>>
>> It is possible to work directly with the appropriate configuration files like
>> we did in the "good old days" before NetworkMangler. There were some
>> reasonably good how-tos that I followed to get WiFi working on my laptop back
>> in 2005. Getting the original how-to is probably much better than me trying
>> to remember what I did.
> Actually when you mention it now ... there is this wpa_supplicant which
> does the WPA configuration. I did this many years ago when I ran
> Gentoo, long before NetworkManager came along. IIRC, NetworkManager
> uses wpa_supplicant under the hood even nowadays.
>
> This might provide some better clues on the wpa_supplicant config files:
> http://wiki.centos.org/HowTos/Laptops/WpaSupplicant
> http://wiki.gentoo.org/wiki/Wpa_supplicant#WPA2_with_wpa_supplicant
>
>

--
"They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty."

-- Benjamin Franklin