I've recently have to patch 28 ubuntu servers in our company, in theory it's an easy procedure but, you know, when you're dealing with old systems that have not been updated for years it can get a little more complicated.
Looking for the solution in different posts I've compiled my own recipe.
First of all, how to know if you're vulnerable?
Run this:
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
OK output:
/bin/bash: warning: X: ignoring function definition attempt
/bin/bash: error importing function definition for `X'
completed
KO output, must be PATCHED!:
busted
completed
The easiest way to update in Ubuntu is using aptitude:
apt-get update
apt-get install --only-upgrade bash
If for any reason this method don't work (outdated sources.list or pointing to old-releases or whatever), you can update bash rebuilding from source, this method should work for other Linux flavors but I've only tested in Ubuntus.
It's easy to update from source following this recipe:
cd /src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
for i in $(seq -f "%03g" 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done
./configure --prefix=/usr --bindir=/bin --sbindir=/sbin --sysconfdir=/etc && sudo make && sudo make install
Remember to re-check the initial command to see if the problem has vanished.
Sources for this post: