Bash | Shellshock Bug

door | 26 september 2014

This morning (26-09-2014) there is a new patch released for the Shellshock bug in bash.

More information about the bug :
https://access.redhat.com/node/1200223
https://access.redhat.com/security/cve/CVE-2014-7169

To test if you are really vulnerable use the following commands :

Before updating bash :

[root@ ~]# env t='() { :;}; echo You are vulnerable.' bash -c "true"
You are vulnerable.
[root@ ~]#

After updating bash :

[root@ ~]# env t='() { :;}; echo You are vulnerable.' bash -c "true"
[root@ ~]#

After updating a CentOS 4 machine :

[root@ ~]$ env t='() { :;}; echo You are vulnerable.' bash -c "true"
bash: warning: t: ignoring function definition attempt
bash: error importing function definition for `t'
[root@ ~]$

To update your OS, use the following commands :

CentOS: yum update bash
CentOS: yum update bash
Ubuntu/Debian: sudo apt-get update && sudo apt-get install bash
FreeBSD: sudo pkg update && sudo pkg install bash (patched version not yet available, update: version 4.3.25_1 is available )
ArchLinux: pacman -S bash
Fedora: su -c yum update bash
OpenBSD: sudo pkg_add -i -v bash

As for CentOS 4, there is no update available.
But RedHat did release a source RPM with the bugfix for extended support customers.

The source RPM is downloadable from oracle ( https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.2.el4.src.rpm ) or this link.
You have to compile it yourself to get this patched version.

Geef een reactie

Je e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *