Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Instructions to Update Bash in LMDE Fix ShellShock
I thought I'd post these instructions here since I haven't seen a clear, concise description of what LMDE (Linux Mint Debian Edition) users should do to update bash to fix ShellShock vulnerability.
Are You Vulnerable? First, verify that you are vulnerable. From a terminal execute: Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test" Add The Debian Repository Currently (September 27, 2014 11:00 EDT) LMDE hasn't provided an update for bash. You can install it from Debian. Create /etc/apt/sources.list.d/debian-package-repositories.list containing the following: Code:
deb http://ftp.debian.org/debian sid main contrib non-free $ sudo apt-get update WARNING: DO NOT RUN sudo apt-get upgrade !!! $ sudo apt-get install bash When you are prompted to overwrite .bashrc enter N Cleanup When you are finished remove /etc/apt/sources.list.d/debian-package-repositories.list or just comment out the one line with a # at the beginning of the line. You probably don't need to do this, but I rebooted and ran the test to verify that I no longer have the vulnerability. |
Quote:
Code:
apt-get install --only-upgrade bash Hope that helps. |
Why is this neccesary? Why doesn't LMDE's update mechanism handle this very important update?
|
Quote:
|
http://forums.linuxmint.com/viewtopi...f=198&t=178991
Short answer, Clem is "out of office" until next week? |
The update manager history shows bash updated to 4.3.9.2
However bash --version => 4.3.0(1) and the following code still indicates bash vulnerability env x='() { :;}; echo vulnerable' bash -c "echo this is a test" I have also tried adding the sid repository and updating bash, this suggests the latest version of bash is already installed. The upgrading seems to be just out of reach! |
Quote:
Code:
$ bash --version What was the output of "sudo apt-get update" ? What was the output of "sudo apt-get install bash" ? |
Versions of bash
I seem to have two versions of bash installed !
/usr/local/bin/bash --version => GNU bash, version 4.3.0(1)-release (x86_64-unknown-linux-gnu) /bin/bash --version => GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu) |
So removing /usr/local/bin/bash seems to have done the trick !
bash --version => GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu) env x='() { :;}; echo vulnerable' bash -c "echo this is a test" => this is a test Phew, no longer vulnerable. ---------- Post added 10-04-14 at 08:23 PM ---------- So removing /usr/local/bin/bash seems to have done the trick ! bash --version => GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu) env x='() { :;}; echo vulnerable' bash -c "echo this is a test" => this is a test Phew, no longer vulnerable. |
I don't have /usr/local/bin/bash on my system, so I'm not sure where yours came from.
What files do you have in /etc/apt/ and /etc/apt/sources.list.d/ ? |
Files in /etc/apt are as follows:
apt.conf.d preferences sources.list sources.list.d trusted.gpg apt-file.conf preferences.d sources.list.bk temp.sources.list trusted.gpg.d files in /etc/apt/sources.list.d/ as follows: debian-package-repositories.list cat debian-package-repositories.list => deb http://ftp.debian.org/debian sid main contrib non-free I have been playing with linux containers and nixOS and must have installed a spurious extra copy of bash, which proved hard to find and fix. Thanks Eric. |
Interesting to note that I don't have /etc/apt/sources.list (or sources.list.bk and temp.sources.list).
|
Why is this 7 year old thread still here?
|
All times are GMT -5. The time now is 08:44 PM. |