[SATLUG] shellshock bash bug (important)

Steev Klimaszewski threeway at gmail.com
Fri Sep 26 15:01:26 CDT 2014


Debian, Ubuntu, Gentoo are all fixed afaik

On Fri, Sep 26, 2014 at 2:18 PM, Bruce Dubbs <bruce.dubbs at gmail.com> wrote:

> If you haven't update bash on all your systems, you need to do so
> immediately.  Older versions have a severe security bug.
>
> Test with:
>
> $ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
>
> If you see 'vulnerable', you need to update.
>
> I don't know if upstream has this ready or not, but you can build your own
> from source:
>
> http://www.linuxfromscratch.org/lfs/view/development/chapter06/bash.html
>
> If your system does not use libreadline.so.6, then you need to update that
> also:
>
> http://www.linuxfromscratch.org/lfs/view/development/
> chapter06/readline.html
>
> The source files are at:
> http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
> http://ftp.gnu.org/gnu/readline/readline-6.3.tar.gz
> http://www.linuxfromscratch.org/patches/lfs/development/
> bash-4.3-upstream_fixes-4.patch
> http://www.linuxfromscratch.org/patches/lfs/development/
> readline-6.3-upstream_fixes-2.patch
>
> When updated, you should have:
>
> $ echo $BASH_VERSION
> 4.3.26(1)-release
>
> Anything less than patch level 26 is vulnerable.  I have successfully
> updated on 686 and x86_64 systems including satlug (Red Hat Enterprise
> Linux ES release 4 (Nahant Update 9, 2012) and an older system at SAC
> (Fedora Core release 6 (Zod), 2007).
>
> Of course you can also try yum or apt-get to see if your upstream provider
> already has this available.
>
>   -- Bruce
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)
>


More information about the SATLUG mailing list