20140927

Ultimate guide to patch ShellShock in old Ubuntus

I've recently have to patch 28 ubuntu servers in our company, in theory it's an easy procedure but, you know, when you're dealing with old systems that have not been updated for years it can get a little more complicated.

Looking for the solution in different posts I've compiled my own recipe.

First of all, how to know if you're vulnerable?

Run this:
env X="() { :;} ; echo busted" `which bash` -c "echo completed"


OK output:
/bin/bash: warning: X: ignoring function definition attempt
/bin/bash: error importing function definition for `X'
completed

KO output, must be PATCHED!:
busted
completed

The easiest way to update in Ubuntu is using aptitude:

apt-get update
apt-get install --only-upgrade bash

If for any reason this method don't work (outdated sources.list or pointing to old-releases or whatever), you can update bash rebuilding from source, this method should work for other Linux flavors but I've only tested in Ubuntus.

It's easy to update from source following this recipe:

cd /src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz

for i in $(seq -f "%03g" 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done
./configure --prefix=/usr --bindir=/bin --sbindir=/sbin --sysconfdir=/etc && sudo make && sudo make install

Remember to re-check the initial command to see if the problem has vanished.

Sources for this post:

1 comentario:

zeehio dijo...

Still, with no possibility to upgrade via de package system you will miss future security updates, such as current bash patches 29 and 30.

In my opinion, using an unsupported OS is an unreliable "solution" to the problem.