[SATLUG] shellshock bash bug (important)

Bruce Dubbs bruce.dubbs at gmail.com
Fri Sep 26 14:18:55 CDT 2014


If you haven't update bash on all your systems, you need to do so 
immediately.  Older versions have a severe security bug.

Test with:

$ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

If you see 'vulnerable', you need to update.

I don't know if upstream has this ready or not, but you can build your 
own from source:

http://www.linuxfromscratch.org/lfs/view/development/chapter06/bash.html

If your system does not use libreadline.so.6, then you need to update 
that also:

http://www.linuxfromscratch.org/lfs/view/development/chapter06/readline.html

The source files are at:
http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
http://ftp.gnu.org/gnu/readline/readline-6.3.tar.gz
http://www.linuxfromscratch.org/patches/lfs/development/bash-4.3-upstream_fixes-4.patch
http://www.linuxfromscratch.org/patches/lfs/development/readline-6.3-upstream_fixes-2.patch

When updated, you should have:

$ echo $BASH_VERSION
4.3.26(1)-release

Anything less than patch level 26 is vulnerable.  I have successfully 
updated on 686 and x86_64 systems including satlug (Red Hat Enterprise 
Linux ES release 4 (Nahant Update 9, 2012) and an older system at SAC 
(Fedora Core release 6 (Zod), 2007).

Of course you can also try yum or apt-get to see if your upstream 
provider already has this available.

   -- Bruce


More information about the SATLUG mailing list