bash patch for SLES 9

Any chance a patch will be made available to fix this bug for SLES 9?

On 25/09/2014 16:34, rustyshields wrote:
[color=blue]

Any chance a patch will be made available to fix this bug for SLES 9?[/color]

Since SLES9 is outside the scope of Long Term Service Pack Support
(LTSS) I would be extremely surprised if a patch was released for any
SLES9 release.

It’s certainly not listed @
http://support.novell.com/security/cve/CVE-2014-6271.html

Time to upgrade to something more current.

HTH.

Simon
SUSE Knowledge Partner


If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

Thanks Simon,

We’re certainly working towards upgrading/replacing, but I can’t say that’s going to happen anywhere near fast enough to be a satisfactory solution to this issue.

I see patches released as recently of June of this year for “SUSE Linux Enterprise Server 9 SP4 LTSS”, so that gives me some small hope.

Any downside to installing from source on SLES 9 or earlier (unsupported) versions of SLES 10…?

mkdir src cd src wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz #download all patches for i in $(seq -f "%03g" 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done tar zxvf bash-4.3.tar.gz cd bash-4.3 #apply all patches for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done #build and install ./configure && make && make install cd .. cd .. rm -r src

That’s what I’m planning to do at this point.

[QUOTE=blortyblorty;23833]Any downside to installing from source on SLES 9 or earlier (unsupported) versions of SLES 10…?

mkdir src cd src wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz #download all patches for i in $(seq -f "%03g" 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done tar zxvf bash-4.3.tar.gz cd bash-4.3 #apply all patches for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done #build and install ./configure && make && make install cd .. cd .. rm -r src[/QUOTE]

If you’re going to build from source, might it be a good idea not to overwrite stuff all over the place by compiling with prefix of /usr then running ‘make install’? (as previously posted example which the forum software has cut out of the quote block does.)
Maybe worth considering building with prefix of /usr/local or /opt, or even /usr/local/bash4 or /opt/bash4, then rename the bash binary provided as part of SLES 9 and replace with symlink to the new one. That way you have a quick easy way to revert to the bash that was provided as part of SLES 9 should that be desired for some reason.

I did this on SLES 10 SP3 and it was successful in upgrading to bash version 4.3
However, when I test if it is still vulnerable by running: env x=’() { :;}; echo vulnerable’ bash -c ‘echo hello’
It says it is vulnerable.

I got that test from here: http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it

Any ideas what is wrong?

Thanks,
Rob