I have patched all the versions and it is like this you have two ways the binary package pre made from your debian or type of debian distro or compile it from source.
I first test it in a console
Code:
env x='() { :;}; echo vulnerable' bash -c "echo testing this"
It should look like this if its patched
Code:
# env x='() { :;}; echo vulnerable' bash -c "echo testing this"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
testing this
Then I do the usual using super user account (root) or sudo depending on your version or type of Debian.
Code:
apt-get update ; apt-get install bash
if it updates you are covered for some of the major parts of the CVE-2014 numbers but will have to wait for the dust to settle before the latest patches like the 2 most recent patches that have been entered into today. You are done you can call it a day and you will pass and avoid most the kiddies on the net testing for openings for some fun.
if it tells you you are already uptodate then you need to find out what you are running
Code:
dpkg-query -l|grep bash
# dpkg-query -l|grep bash
ii bash 4.3-9.1 amd64 GNU Bourne Again SHell
As you can see I have 4.3. Next you find a mirror that is not busy (main ones where impossible to get on today, busy)
http://www.gnu.org/server/mirror.html
and look for where they have the bash files
I used one from germany. You will find patches going as far back from today fixing the issues as far back as version 2
So just cd to your source directory (You can use a different dir if you want) then wget the version or the latest if you want (check for dependencies. Easiest is to get the code you already have running example if you have 3.2 go get version 3.2.
then you untar gzip it and change to that directory and go get the patches right into the directory and patch it!
Code:
cd /usr/src
wget ftp://ftp.hawo.stw.uni-erlangen.de/gnu/bash/bash-4.2.tar.gz
tar zxvf bash-4.3.tar.gz
cd bash-4.3
for the above example if you have a different version get that version
here is example of me changing to the directory and patching it.
Code:
cd /usr/src/bash-4.3
for i in $(seq -f "%03g" 1 26); do
wget -nv ftp://ftp.hawo.stw.uni-erlangen.de/gnu/bash/bash-4.3-patches/bash43-$i
patch -p0 < bash43-$i
done
You will note I have 4.3 and you might change to a different directory with your version.
seq -f "%03g" 1 26
above you need to see how many patches are in there. at the time of writing this there are 26 patches and it starts at 1. if your using 3.2 there is 53 patches so you would change these number in the example above to
seq -f "%03g" 1 53
and of course the two parts where it is
bash43-$i
to
bash32-$i
and press enter
when you are done you should have a mess of patching , maybe even warnings like illegal names.
finally you need to compile and install this with this command.
Code:
./configure && make && make install
then you are left with a whole bunch of stuff for a bit on your screen. You may need to install some files if it seems to fail. when its done you can test this again first move the old to a old file and the new link
Code:
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash
then test the old and the new
Code:
env x='() { :;}; echo vulnerable' /bin/bash.old -c echo
env x='() { :;}; echo vulnerable' bash -c echo
i would rm (remove the old
Then you good til the next patch comes out although you would need in my case to increase the 26 to a 27 or what ever if they added more patches. as of writing this you are uptodate of all the known issues ( well , if they find more then ...)
I hope that helps i did this in this order so many times yesterday!
Also its not perfect but theres a fail2ban filter now out that might help a little more if your watching your apache2 logs like some of us. just look through some of my posts or go to the fail2ban site I put it up in there