Quote:
My (updated) servers are returning 403 to them. |
check & patch for "Shellshock"
We're using servers & self-made thin clients with Debian Squeeze.
Where can I download just a patch instead of apt-get upgrade? |
You aren't really looking, aren't you? :rolleyes:
OK, this once as it's important: http://www.linuxquestions.org/questi...sh-4175519968/ |
// Thread merged if necessary, renamed to include CVE numbers and popular name and stickied. Please keep the distribution-specific discussion here, else see https://www.linuxquestions.org/quest...-a-4175519975/. Please let me know if you spot similar topic threads to merge.
|
Quote:
|
I have patched all the versions and it is like this you have two ways the binary package pre made from your debian or type of debian distro or compile it from source.
I first test it in a console Code:
env x='() { :;}; echo vulnerable' bash -c "echo testing this" Code:
# env x='() { :;}; echo vulnerable' bash -c "echo testing this" Code:
apt-get update ; apt-get install bash if it tells you you are already uptodate then you need to find out what you are running Code:
dpkg-query -l|grep bash and look for where they have the bash files I used one from germany. You will find patches going as far back from today fixing the issues as far back as version 2 So just cd to your source directory (You can use a different dir if you want) then wget the version or the latest if you want (check for dependencies. Easiest is to get the code you already have running example if you have 3.2 go get version 3.2. then you untar gzip it and change to that directory and go get the patches right into the directory and patch it! Code:
cd /usr/src here is example of me changing to the directory and patching it. Code:
cd /usr/src/bash-4.3 seq -f "%03g" 1 26 above you need to see how many patches are in there. at the time of writing this there are 26 patches and it starts at 1. if your using 3.2 there is 53 patches so you would change these number in the example above to seq -f "%03g" 1 53 and of course the two parts where it is bash43-$i to bash32-$i and press enter when you are done you should have a mess of patching , maybe even warnings like illegal names. finally you need to compile and install this with this command. Code:
./configure && make && make install Code:
mv /bin/bash /bin/bash.old Code:
env x='() { :;}; echo vulnerable' /bin/bash.old -c echo Code:
rm /bin/bash.old I hope that helps i did this in this order so many times yesterday! Also its not perfect but theres a fail2ban filter now out that might help a little more if your watching your apache2 logs like some of us. just look through some of my posts or go to the fail2ban site I put it up in there |
Quote:
ln -s /usr/local/bin/bash /bin/bash doesn't work. After a reboot I got "bash no such file" and was impossible logon to the server in single-user too. Perhaphs better cp /usr/local/bin/bash /bin/bash |
All times are GMT -5. The time now is 01:11 AM. |