BASH exploit - Shellshock

You could change the sources list back if you want.

mdgm wrote:
Yes it does have both patches. You can confirm this by examining the apt-get repository. It should show up in the GPL once there is a production 4.2.27 release.

Thanks for confirming this - the date of your announcement (Sep. 25th) had me confused, I thought the second patch relating to this issue had only been available from the 26th.

wtriba wrote:

schmitzm wrote: @GibsonLP - I understand the latest beta addresses the issue - it would be nice to have confirmation that the beta includes both of the patches to bash though. Following your writeup, I have managed to cross-build patched bash-3.2 and bash-2.05b binaries - I'll still need to run the testsuites from the source distribution to feel confident enough to replace the old binary. I'm definitely interested in the 2.05b binary for my NV+. If/when you're going to make that available, I'd love to get a copy. Thanks!

Running the testsuite on both 2.05b and 3.2 bash binaries reveals that cross compiling bash is a bit tricky. Job control is missing, among other features.

I'll try to fudge a few of these configure tests, but really, you may be better off trying the beta firmware image posted on Thursday.

I'd like to install 4.1.14 beta on my NV+. Is there a direct link to download this?

Thanks!

wtriba wrote:
I'd like to install 4.1.14 beta on my NV+. Is there a direct link to download this?

http://www.readynas.com/download/beta/r ... -4.1.14-T5

wtriba wrote:
I'd like to install 4.1.14 beta on my NV+. Is there a direct link to download this? Thanks!

http://www.readynas.com/download/beta/raidiator/4.1.14/RAIDiator-4.1.14-T5

schmitzm wrote:
mdgm wrote: Yes it does have both patches. You can confirm this by examining the apt-get repository. It should show up in the GPL once there is a production 4.2.27 release. Thanks for confirming this - the date of your announcement (Sep. 25th) had me confused, I thought the second patch relating to this issue had only been available from the 26th.

Skywalker mentioned he'd posted the betas here: http://www.readynas.com/forum/viewtopic.php?p=435054#p435054

Which in Australia at least was on the 26th. I think from a quick search the second patch was released late on the 25th (PST in the US).

I'm probably running a rather dated version of RAIDiator on our NAS - can't check the version since I shut down frontview pretty much first thing when the news broke. Are there any update prerequisites for the current betas - i.e. requirement for a minimum release level?

schmitzm wrote:
I'm probably running a rather dated version of RAIDiator on our NAS - can't check the version since I shut down frontview pretty much first thing when the news broke. Are there any update prerequisites for the current betas - i.e. requirement for a minimum release level?

What model do you have?

There shouldn't be an issue.

Of course it is a good idea to ensure you have an up to date backup first.

There is a very low chance that this vulnerability would be exploited especially if you don't forward ports to the NAS. That's not to say there isn't a way, but we haven't found any.

However if you are concerned I would turn off port forwards until after updating to the beta with the patch (or a newer release)

schmitzm wrote:
wtriba wrote: I'd like to install 4.1.14 beta on my NV+. Is there a direct link to download this? Thanks! http://www.readynas.com/download/beta/r ... -4.1.14-T5

The FW update to 4.1.14-T5 went fine on my NV+ (v1) and all is well. Confirmed shellshock is no longer an issue with this release.

Thank you!