Bash Vulnerability in Rune Audio

[NullDev]

A major bug in the BASH shell was recently uncovered (CVE-2014-6271 & CVE-2014-7169). One can easily test for the vulnerability by running the following from a BASH prompt:

Code: Select all

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you have the bug, you will get:

Code: Select all

vulnerable
this is a test

Most major distros have patched this issue. I'm currently running 0.2-beta on a BBB and my version is vulnerable. Any idea if/when this will be patched? Is there a way of getting the fix without having to restart from scratch?

[tux]

I assume that with a:

pacman -Sy bash

you will be fine. Latest fix is already in archLinuxarm repositories.

[NullDev]

That brought in bash-4.3.024-2 along with readline-6.3.006-1 as a dependency. After the update, a quick vulnerability check showed I was good to go. Thank you sir!

[ACX]

It's good that it came out just before the 0.3-beta release, so we are in time to include the upgrade in the final image

[NullDev]

As an update, only CVE-2014-6271 has been patched at this point. Everyone is still waiting for a valid fix for CVE-2014-7169. It seems to be a slightly tougher nut to crack (so to speak...).

[cmh714]

I found a detailed article on how to recompile for a Mac, but I can wait....

[tux]

Today there's a new update on bash package. You need to repeat the procedure I mentioned in my post above!

[Peter]

I assume that with a:

pacman -Sy bash

you will be fine. Latest fix is already in archLinuxarm repositories.

Thank you, done - and no longer showing vulnerable.

[NullDev]

Grabbed the 2nd update as well and it works great. I wish I could get my RasPBX system to patch as easily! Thanks folks.

[Midnight]

IMHO this CVE is not really a problem for a music player in your home LAN. What is the worst thing an attacker could do there? Kill your Runeaudio installation or maybe only the Runeaudio web interface?