[SATLUG] shellshock bash bug (important)

Howard Haradon hharadon at gmail.com
Sun Sep 28 15:04:04 CDT 2014


On Fri, Sep 26, 2014 at 2:18 PM, Bruce Dubbs <bruce.dubbs at gmail.com> wrote:
> If you haven't update bash on all your systems, you need to do so
> immediately.  Older versions have a severe security bug.
>
> Test with:
>
> $ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
>
> If you see 'vulnerable', you need to update.
>
> I don't know if upstream has this ready or not, but you can build your own
> from source:
>
> http://www.linuxfromscratch.org/lfs/view/development/chapter06/bash.html
>
> If your system does not use libreadline.so.6, then you need to update that
> also:
>
> http://www.linuxfromscratch.org/lfs/view/development/chapter06/readline.html
>
> The source files are at:
> http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
> http://ftp.gnu.org/gnu/readline/readline-6.3.tar.gz
> http://www.linuxfromscratch.org/patches/lfs/development/bash-4.3-upstream_fixes-4.patch
> http://www.linuxfromscratch.org/patches/lfs/development/readline-6.3-upstream_fixes-2.patch
>
> When updated, you should have:
>
> $ echo $BASH_VERSION
> 4.3.26(1)-release
>
> Anything less than patch level 26 is vulnerable.  I have successfully
> updated on 686 and x86_64 systems including satlug (Red Hat Enterprise Linux
> ES release 4 (Nahant Update 9, 2012) and an older system at SAC (Fedora Core
> release 6 (Zod), 2007).
>
> Of course you can also try yum or apt-get to see if your upstream provider
> already has this available.
>
>   -- Bruce

Thanks, Bruce
The fix came thru with Xubuntu's latest patches.
Howard
-- 
Howard Haradon
Sent from my Athlon II X3


More information about the SATLUG mailing list