by Well this is twice in a year that I get to do an emergency patch to all my machines – Ugh! The bash vulnerability is a major one because it can affect any program that uses bash to set environment variables such as dhclient, cgi-scripts, etc. To test if you have the problem run:
env x='() { :;}; echo Vulnerable' bash -c "echo This is a test"
and if you get:
Vulnerable
This is a test
Then it is time to patch. At least for me it was pretty easy to do:
Ubuntu 10.04, 12.04: Run apt-get update; apt-get install bash
Debian 7 (wheezy): Run apt-get update; apt-get install bash
Debian 6 (squeeze): Add these lines to /etc/apt/sources.list:
deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free
and then run apt-get update; apt-get install bash.
Debian 5 (lenny): I had to build bash per the instructions located at https://dmsimard.com/2014/09/25/the-bash-cve-2014-6271-shellshock-vulnerability/. Once I had a good binary, I could just copy it over to /usr/local/bin/bash on all my debian lenny machines and link /bin/bash to it. This works for all non-supported OS (e.g. I used it also on an old version of OEL).
Centos 6: Run yum update bash
Mac OSX 10.6 – 10.9: A very nice person created a package for macs that is available at http://blog.designed79.co.uk/?p=2000. Just download and install.
Hope this helps other folks who need to patch their systems.
Double ugh!. The first patch was not complete so I get to do it all again. The test for the new vulnerability is:
cd /tmp; rm -f echo && env -i X='() { (a)=>' bash -c 'echo id'; cat echo
if you see something like this at the end of the output, you're vulnerable:
uid=1000(ski) gid=1000(ski) groups=1000(ski)
For Redhat, Centos 6, Ubuntu and Debian 7 (wheezy), Debian 6 (with new repositories) just update bash. No updated binaries for the Mac yet. For 3.2 source code copy this file to bash32-053, put it in your source code directory, cd into it and run:
patch -p0 < bash32-053
./configure && make
make install