* Bash security vulnerabilities - Question for master
@ 2014-10-02 14:48 Mark Hatle
2014-10-02 15:13 ` Paul Eggleton
0 siblings, 1 reply; 4+ messages in thread
From: Mark Hatle @ 2014-10-02 14:48 UTC (permalink / raw)
To: Patches and discussions about the oe-core layer
With the recent vulnerabilities, a bunch of patches are being sent up to the
list. The content is generally fine, but I'm wondering if for master we should
apply all of the official bash patches to get to the latest patch version,
instead of applying various 'security' fixes that may or may not be the official
version.
For instance, bash_4.3:
SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
[followed by a bunch of local patches]
"
ncftp .../bash/bash-4.3-patches > ls
bash43-001 bash43-004.sig bash43-008 bash43-011.sig
bash43-015 bash43-018.sig bash43-022 bash43-025.sig
bash43-001.sig bash43-005 bash43-008.sig bash43-012
bash43-015.sig bash43-019 bash43-022.sig bash43-026
bash43-002 bash43-005.sig bash43-009 bash43-012.sig
bash43-016 bash43-019.sig bash43-023 bash43-026.sig
bash43-002.sig bash43-006 bash43-009.sig bash43-013
bash43-016.sig bash43-020 bash43-023.sig bash43-027
bash43-003 bash43-006.sig bash43-010 bash43-013.sig
bash43-017 bash43-020.sig bash43-024 bash43-027.sig
bash43-003.sig bash43-007 bash43-010.sig bash43-014
bash43-017.sig bash43-021 bash43-024.sig bash43-028
bash43-004 bash43-007.sig bash43-011 bash43-014.sig
bash43-018 bash43-021.sig bash43-025 bash43-028.sig
The community has 28 patches for various bugs (and these security issues)
posted. Would it make sense to update to bash 4.3 (28)?
In our bash 3.2.48:
SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=patch001
\
${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=patch002
\
${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=patch003
\
...
"
Some of the upstream items are applied, but I'm wondering if we should extend
that to patch level 55 (the latest) in the same way.
Both patch level 4.3 - 28 and 3.2.48 - 55 will apply all of the fixes that keep
getting submitted plus a set of other general bugs. It will also make it easier
for security scanners to simply check the version and know the right fixes have
been applied.
(Note, there will be at least one more patch coming out that fixes a few more
defects according to the mailing lists. I expect it today or tomorrow.)
--Mark
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Bash security vulnerabilities - Question for master
2014-10-02 14:48 Bash security vulnerabilities - Question for master Mark Hatle
@ 2014-10-02 15:13 ` Paul Eggleton
2014-10-02 15:48 ` Mark Hatle
0 siblings, 1 reply; 4+ messages in thread
From: Paul Eggleton @ 2014-10-02 15:13 UTC (permalink / raw)
To: Mark Hatle; +Cc: openembedded-core
On Thursday 02 October 2014 09:48:29 Mark Hatle wrote:
> With the recent vulnerabilities, a bunch of patches are being sent up to the
> list. The content is generally fine, but I'm wondering if for master we
> should apply all of the official bash patches to get to the latest patch
> version, instead of applying various 'security' fixes that may or may not
> be the official version.
>
> For instance, bash_4.3:
>
> SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
> [followed by a bunch of local patches]
> "
>
> ncftp .../bash/bash-4.3-patches > ls
> bash43-001 bash43-004.sig bash43-008 bash43-011.sig
> bash43-015 bash43-018.sig bash43-022 bash43-025.sig
> bash43-001.sig bash43-005 bash43-008.sig bash43-012
> bash43-015.sig bash43-019 bash43-022.sig bash43-026
> bash43-002 bash43-005.sig bash43-009 bash43-012.sig
> bash43-016 bash43-019.sig bash43-023 bash43-026.sig
> bash43-002.sig bash43-006 bash43-009.sig bash43-013
> bash43-016.sig bash43-020 bash43-023.sig bash43-027
> bash43-003 bash43-006.sig bash43-010 bash43-013.sig
> bash43-017 bash43-020.sig bash43-024 bash43-027.sig
> bash43-003.sig bash43-007 bash43-010.sig bash43-014
> bash43-017.sig bash43-021 bash43-024.sig bash43-028
> bash43-004 bash43-007.sig bash43-011 bash43-014.sig
> bash43-018 bash43-021.sig bash43-025 bash43-028.sig
>
> The community has 28 patches for various bugs (and these security issues)
> posted. Would it make sense to update to bash 4.3 (28)?
>
> In our bash 3.2.48:
>
> SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
>
> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=p
> atch001 \
>
> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=p
> atch002 \
>
> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=p
> atch003 \
> ...
> "
>
> Some of the upstream items are applied, but I'm wondering if we should
> extend that to patch level 55 (the latest) in the same way.
>
> Both patch level 4.3 - 28 and 3.2.48 - 55 will apply all of the fixes that
> keep getting submitted plus a set of other general bugs. It will also make
> it easier for security scanners to simply check the version and know the
> right fixes have been applied.
FWIW, I'm inclined to agree - given the severity and high profile of these
issues I think we should patch up to the latest patchlevel. Do we have enough
tests to mitigate any risk of doing that for the 1.7 release, given how late
we are in the release cycle?
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Bash security vulnerabilities - Question for master
2014-10-02 15:13 ` Paul Eggleton
@ 2014-10-02 15:48 ` Mark Hatle
2014-10-02 19:06 ` Otavio Salvador
0 siblings, 1 reply; 4+ messages in thread
From: Mark Hatle @ 2014-10-02 15:48 UTC (permalink / raw)
To: Paul Eggleton; +Cc: openembedded-core
On 10/2/14, 10:13 AM, Paul Eggleton wrote:
> On Thursday 02 October 2014 09:48:29 Mark Hatle wrote:
>> With the recent vulnerabilities, a bunch of patches are being sent up to the
>> list. The content is generally fine, but I'm wondering if for master we
>> should apply all of the official bash patches to get to the latest patch
>> version, instead of applying various 'security' fixes that may or may not
>> be the official version.
>>
>> For instance, bash_4.3:
>>
>> SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
>> [followed by a bunch of local patches]
>> "
>>
>> ncftp .../bash/bash-4.3-patches > ls
>> bash43-001 bash43-004.sig bash43-008 bash43-011.sig
>> bash43-015 bash43-018.sig bash43-022 bash43-025.sig
>> bash43-001.sig bash43-005 bash43-008.sig bash43-012
>> bash43-015.sig bash43-019 bash43-022.sig bash43-026
>> bash43-002 bash43-005.sig bash43-009 bash43-012.sig
>> bash43-016 bash43-019.sig bash43-023 bash43-026.sig
>> bash43-002.sig bash43-006 bash43-009.sig bash43-013
>> bash43-016.sig bash43-020 bash43-023.sig bash43-027
>> bash43-003 bash43-006.sig bash43-010 bash43-013.sig
>> bash43-017 bash43-020.sig bash43-024 bash43-027.sig
>> bash43-003.sig bash43-007 bash43-010.sig bash43-014
>> bash43-017.sig bash43-021 bash43-024.sig bash43-028
>> bash43-004 bash43-007.sig bash43-011 bash43-014.sig
>> bash43-018 bash43-021.sig bash43-025 bash43-028.sig
>>
>> The community has 28 patches for various bugs (and these security issues)
>> posted. Would it make sense to update to bash 4.3 (28)?
>>
>> In our bash 3.2.48:
>>
>> SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
>>
>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=p
>> atch001 \
>>
>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=p
>> atch002 \
>>
>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=p
>> atch003 \
>> ...
>> "
>>
>> Some of the upstream items are applied, but I'm wondering if we should
>> extend that to patch level 55 (the latest) in the same way.
>>
>> Both patch level 4.3 - 28 and 3.2.48 - 55 will apply all of the fixes that
>> keep getting submitted plus a set of other general bugs. It will also make
>> it easier for security scanners to simply check the version and know the
>> right fixes have been applied.
>
> FWIW, I'm inclined to agree - given the severity and high profile of these
> issues I think we should patch up to the latest patchlevel. Do we have enough
> tests to mitigate any risk of doing that for the 1.7 release, given how late
> we are in the release cycle?
I think between the ptest and normal system integration testing, we have enough
tests to mitigate the risks. Plus the patches themselves are heavily tested by
the [bash] community and the official changes, so I think it's significantly
less likely they will introduce issues.
--Mark
> Cheers,
> Paul
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Bash security vulnerabilities - Question for master
2014-10-02 15:48 ` Mark Hatle
@ 2014-10-02 19:06 ` Otavio Salvador
0 siblings, 0 replies; 4+ messages in thread
From: Otavio Salvador @ 2014-10-02 19:06 UTC (permalink / raw)
To: Mark Hatle; +Cc: Paul Eggleton, Patches and discussions about the oe-core layer
On Thu, Oct 2, 2014 at 12:48 PM, Mark Hatle <mark.hatle@windriver.com> wrote:
> On 10/2/14, 10:13 AM, Paul Eggleton wrote:
>>
>> On Thursday 02 October 2014 09:48:29 Mark Hatle wrote:
>>>
>>> With the recent vulnerabilities, a bunch of patches are being sent up to
>>> the
>>> list. The content is generally fine, but I'm wondering if for master we
>>> should apply all of the official bash patches to get to the latest patch
>>> version, instead of applying various 'security' fixes that may or may not
>>> be the official version.
>>>
>>> For instance, bash_4.3:
>>>
>>> SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
>>> [followed by a bunch of local patches]
>>> "
>>>
>>> ncftp .../bash/bash-4.3-patches > ls
>>> bash43-001 bash43-004.sig bash43-008 bash43-011.sig
>>> bash43-015 bash43-018.sig bash43-022 bash43-025.sig
>>> bash43-001.sig bash43-005 bash43-008.sig bash43-012
>>> bash43-015.sig bash43-019 bash43-022.sig bash43-026
>>> bash43-002 bash43-005.sig bash43-009 bash43-012.sig
>>> bash43-016 bash43-019.sig bash43-023 bash43-026.sig
>>> bash43-002.sig bash43-006 bash43-009.sig bash43-013
>>> bash43-016.sig bash43-020 bash43-023.sig bash43-027
>>> bash43-003 bash43-006.sig bash43-010 bash43-013.sig
>>> bash43-017 bash43-020.sig bash43-024 bash43-027.sig
>>> bash43-003.sig bash43-007 bash43-010.sig bash43-014
>>> bash43-017.sig bash43-021 bash43-024.sig bash43-028
>>> bash43-004 bash43-007.sig bash43-011 bash43-014.sig
>>> bash43-018 bash43-021.sig bash43-025 bash43-028.sig
>>>
>>> The community has 28 patches for various bugs (and these security issues)
>>> posted. Would it make sense to update to bash 4.3 (28)?
>>>
>>> In our bash 3.2.48:
>>>
>>> SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
>>>
>>>
>>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=p
>>> atch001 \
>>>
>>>
>>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=p
>>> atch002 \
>>>
>>>
>>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=p
>>> atch003 \
>>> ...
>>> "
>>>
>>> Some of the upstream items are applied, but I'm wondering if we should
>>> extend that to patch level 55 (the latest) in the same way.
>>>
>>> Both patch level 4.3 - 28 and 3.2.48 - 55 will apply all of the fixes
>>> that
>>> keep getting submitted plus a set of other general bugs. It will also
>>> make
>>> it easier for security scanners to simply check the version and know the
>>> right fixes have been applied.
>>
>>
>> FWIW, I'm inclined to agree - given the severity and high profile of these
>> issues I think we should patch up to the latest patchlevel. Do we have
>> enough
>> tests to mitigate any risk of doing that for the 1.7 release, given how
>> late
>> we are in the release cycle?
>
>
> I think between the ptest and normal system integration testing, we have
> enough tests to mitigate the risks. Plus the patches themselves are heavily
> tested by the [bash] community and the official changes, so I think it's
> significantly less likely they will introduce issues.
I agree as well.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-10-02 19:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-10-02 14:48 Bash security vulnerabilities - Question for master Mark Hatle
2014-10-02 15:13 ` Paul Eggleton
2014-10-02 15:48 ` Mark Hatle
2014-10-02 19:06 ` Otavio Salvador
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.