By Alan Hargreaves-Oracle on Sep 29, 2014
What a last four days this has been! Certainly from the perspective of a support engineer dealing with this who on days one and two ended up going 43 hours without sleep.
Unless you've been off the grid for the last week, you would know about Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187).
To get the obligatories out of the way first, ...
Oracle has released a formal alert about this vulnerability which you can read at http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html
This document points to a MOS Note containing links to the fixes for this issue. Our current recommendation is to download all patches and IDR patches listed for your particular OS.
This document will be updated as patches get formally released. Given how quickly the initial IDRs were released as formal patches, I would not expect this to take very long.
I also need to thank those of you who have had patience while dealing with us in support on this. As you can imagine, we've had a huge number of calls on it, that given the nature of the issue and the fact that we hit the weekend, needed to be handled by a small number of support engineers. It's taken me most of the weekend to make sure that each of the calls that I own has a current status in it, which involved a couple of statuses from the initial updates (starting around 6am Friday morning Australia/Sydney) through various incarnations of updates. Any update that needs to go into all of my calls now will likely take at least four straight hours.
So I hope you can see that I am indeed grateful for your patience.
There are a few things that have cropped up quite a bit that I will detail here in the hope of avoiding some further calls on the issue.
The patch failed to install
The big one is that people get errors installing the Solaris 8 - Solaris 10 patches. Generally accompanied with a message from
checkinstall about being unable to open something.
Checkinstall, runs as user nobody, group root (group 0 is really not special on Solaris, I would say that we get it because we only setuid(nobody) and don't touch the group), so if you don't have permissions for "nobody" to read the patch, it will fail. Check the permissions on each element of the directory path into which you extracted the patch. I've found that "
chmod go=u-w path", where path is the directory the patch was installed in, fixes the issue. Of course extracting in somewhere like
/tmp after a "
umask 02" would also help.
Installing the patch didn't fix it
We've had a few folks tell us that they've installed the patch but bash still fails the tests. It's generally turned out that they've had another bash binary installed (eg in
/usr/local/bin) that comes first in
$PATH. Check "
Questions that we cannot answer
One last thing, Oracle has a policy of not announcing the time frame of releasing security fixes. If you ask when the IDR patches will become formal patches, we are not going to be able to answer you. What is worth noting though is that the -01 IDRs became formal patches right quickly. Indeed all fixes are now available in Solaris 11.2 sru 2.8.