Originally posted by: woodstea23

Is there any word on fixes for the bash Shell Shock vulnerability for AIX? I know it's part of the AIX Toolbox for Linux Apps, but when I check prereqs on my system it's showing that I can't uninstall it because the AIX RPM package is dependent on it:

# rpm -e --test bash
error: removing these packages would break dependencies:
        bash   is needed by info-4.6-1
        bash is needed by apr-1.4.8-1
        bash   is needed by info-4.6-1
        bash is needed by apr-1.4.8-1
        /bin/bash2 is needed by rpm-build-3.0.5-49

# rpm -e --test rpm-build
error: removing these packages would break dependencies:
        rpm-build is needed by AIX-rpm-7.1.1.15-9
 

There's a lot of buzz here about this vulnerability and our Linux and Solaris teams are already preparing to install vendor-provided patches this evening.

What about you, IBM?

Originally posted by: woodstea23

Here is the IBM PSIRT notification for this, but so far nothing specific on AIX:

https://www-304.ibm.com/connections/blogs/PSIRT/entry/bash_vulnerable_to_cve_2014_6271_and_cve_2014_7169?lang=en_us

More info on the vulnerability:

https://isc.sans.edu/forums/diary/Webcast+Briefing+Bash+Code+Injection+Vulnerability/18709

https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellshock+/18707

Originally posted by: dwcasey

I opened a case with IBM. They told me to look at the license information for the Toolbox software which states the software packages are provided "as-is".
http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/altlic.html

They also referred me to a 3rd part site that maintains the Toolbox packages on their own, apart from any support from IBM.
http://www.perzl.org/aix/

I ran the uninstall same as you with the warning on dependencies...then ran force remove with the --nodeps option. So far so good. From what I can tell the dependencies are within the RPM Toolbox packages themselves. If you aren't really using the other packages much ( at all? ) then you might be just fine to remove bash as it seems to only be used during scripts run at install time. Running rpm -qa will show all the packages you have.

Originally posted by: woodstea23

That's pretty much exactly the response I assumed IBM would give me. I should have stopped using anything from that Toolbox years ago. Originally it seemed like they were updating it about as often as new TLs came out, but perhaps I was imagining that, and they were only changing the name of the iso. These days the versions are way out of date on a lot of it.

We will probably have to do what you suggest: remove with --nodeps and then reinstall the latest version from perzl.

Originally posted by: dwcasey

Good luck. Keep this thread updated if you have any ill affects.

Originally posted by: dwcasey

FYI, just received this from IBM

As mentioned previously, the bash shell is not officially supported by IBM. However, we recognize that this is a widely used shell package and realize the impact of this high profile vulnerability. Therefore, an updated bash version to address the bash vulnerability CVE-2014-6271 is now available for download from the Linux Toolbox for AIX versions 6.1 or higher through the following link:
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272

Originally posted by: chanly_bob

Does anyone know how to test/validate that this vulnerability has truly been addressed for AIX5.3/61?  

for RHEL5/6, we run the below after the bash patch has been applied. 

output:

applied this bash fix from IBM and tried to do the same test/validation procedures but it did not return the results that i was expecting to see. 

results on AIX61:

Originally posted by: ClaudeDube

Last night I patched my solaris here is my test

Before the patch:

Voila, Claude

Originally posted by: ClaudeDube

Patched bash - shell shock -

Download link for AIX 6.1 and above: