Shellshock is a serious server security issue that was made public yesterday. The best fix is to apply security updates from your Linux distribution, as they become available.
If that is not possible for any reason (e.g., unsupported distros, like the Ubuntu 13.04 boxes we have not killed yet), you will need to compile
bash from the source (including all the patches) – which may be confusing if you are not used to build C/C++ software “by hand”.
There are some scripts that compile and install a new bash (like shellshocker.net’s
curl https://shellshocker.net/fixbash | sh), but they assume you are ok with the latest
bash version (4.3), and I needed to stay with 4.2. Here is how I did it:
BEFORE APPLYING, PLEASE READ THIS:
- You can copy and paste, but I recommend reading and applying commands one by one.
- You need a user with
- Replace “4.2” with the actual “major.minor” version of
bashyou are running (the steps will guide you into finding that).
- In the end, this will not install the new bash, just build it. Read below for your installation options.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
Now you need to replace your vulnerable bash with the new one. There are two ways of doing it:
- Installing the new
sudo make install. If you only have a couple servers, I recommend that.
- Manually replacing
/bin/bashin affected servers with the new one. Only do it if the other servers use the same architecture/Linux version.
sudo cp /wherever/my/new/bash/is/bash /bin/bash should work, unless the server complains the file is already in use. In that case, try this:
- Move the old bash somewhere else (
sudo mv /bin/bash ~/old_bash).
- Copy the new bash where the old one was (
sudo cp /wherever/my/new/bash/is/bash /bin/bash).
bash --version(and the vulnerability test, if you want) to check the new bash is in place. You can also log in again and
You may have to
chmod +x /bin/bash and/or
chown root:root /bin/bash if your copy didn’t preserve permissions/ownership.