Re: Shellshock? Maemo?
 

Will there be a bash update for Maemo?

Re: Shellshock? Maemo?
 

Agreed. But the bash availability on N900 is hardly a replacement for busybox upgrade (and we're stuck with busybox as core /bin/sh, no matter if we like it, or not), it's just nice additional thing to have.

Now, some people argued that we don't need upstream updates to busybox (including security ones) - that busybox-power provides - in CSSU, cause we can install bash, anyway. Which is assumption broken by design, as we can either use bash AND still have ash as core /bin/sh, or only use ASH for everything.

Summing it up, my whole point was that bash isn't "cure for your all shell related needs, cancer, poverty, and all world problems combined", especially on N900. It doesn't substitute busybox updates, and busybox-power SHOULD be part of CSSU. Shame on CSSU maintainers that it isn't as there are no rational/meritocratic reasons for it, only political bash-loving and ash-hating (and letting arrogant buffoons to act as CSSU advisors *waves to joerg*, which fortunately, is thing of the past, already).

/Estel

Re: Shellshock? Maemo?
 

This argument is all very interesting, but can anyone provide a simple answer to the question of whether a bash update is likely to become available, and/or should I try to make one myself?

Re: Shellshock? Maemo?
 

I don't think anybody runs a priviledged web server with CGI support and bash as standard shell on the N900. So it's not likely that people will be running for the update.

But feel free to do it yourself :)

Re: Shellshock? Maemo?
 

No webserver but I do have bash, ssh and a DHCP client. So that makes me vulnerable. :(

Re: Shellshock? Maemo?
 

If ssh worries you be sure to comment out any AcceptEnv options in your sshd_config

I'm not aware of any DHCP attack vector. Anyway, I don't think *anything* in Maemo, including the DHCP client, require bash (because it's not even installed by default), so you should be "OK".

But again, feel free to compile the latest bash. I'll see if I can do it quickly myself though.

Re: Shellshock? Maemo?
 

So, here's the latest bash 4.3 with all 29 patches compiled (without NLS) for armel. It doesn't really need anything in terms of dependencies (although it is NOT statically compiled).

Just unpack it and put it in /usr/local/bin or wherever you find it convenient.

PS: now that "we" control TMO, can we please remove these absurd restrictions on file extension and/or attachment size?

Re: Shellshock? Maemo?
 

Quick reply...
Can you imagine the huge, heavy photographs and drawings that will quickly appear here, and overwhelm the storage?..
Seriously, we should ask techstaff about this. Where can we find the current bugs and feature requests of Maemo server? Is there https support in the works?
Best wishes. Thank you!
~~~~~~~~~~~~~~~~~
Per aspera ad astra...

Re: Shellshock? Maemo?
 

Good points. If at all, I would just hope that we can upload a .tar.gz. Surprising and annoyingly, this is not allowed (zip and gz are OK though for some reason).

And well, maybe a bit more than 800Kb would be fine..

Once techstaff sort their stuff out (if it hasn't been done yet) we could have an idea of how much space we need. I'll happily donate for another HDD or two.

Re: Shellshock? Maemo?
 

Quick heads up. There's a new patch for bash (#30, dated October 5th). When I get some time I'll post an updated version.

Add. here it is!

Add. It passes all current tests: