Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Instructions to Update Bash in LMDE Fix ShellShock
 

I thought I'd post these instructions here since I haven't seen a clear, concise description of what LMDE (Linux Mint Debian Edition) users should do to update bash to fix ShellShock vulnerability.

Are You Vulnerable?

First, verify that you are vulnerable. From a terminal execute:

If the response includes "vulnerable" then you need to upgrade bash.

Add The Debian Repository

Currently (September 27, 2014 11:00 EDT) LMDE hasn't provided an update for bash. You can install it from Debian.

Create /etc/apt/sources.list.d/debian-package-repositories.list containing the following:

Upgrading

$ sudo apt-get update

WARNING: DO NOT RUN sudo apt-get upgrade !!!

$ sudo apt-get install bash

When you are prompted to overwrite .bashrc enter N


Cleanup

When you are finished remove /etc/apt/sources.list.d/debian-package-repositories.list or just comment out the one line with a # at the beginning of the line.

You probably don't need to do this, but I rebooted and ran the test to verify that I no longer have the vulnerability.

I've been using
on my Ubu-flavored hosts to only upgrade only bash.

Hope that helps.

Why is this neccesary? Why doesn't LMDE's update mechanism handle this very important update?

Good question for the LMDE maintainer (I think his name is Clem). In my experience LMDE updates take a bit longer to filter down from Debian Testing, but they eventually show up.

http://forums.linuxmint.com/viewtopi...f=198&t=178991

Short answer, Clem is "out of office" until next week?

The update manager history shows bash updated to 4.3.9.2
However bash --version => 4.3.0(1)
and the following code still indicates bash vulnerability

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

I have also tried adding the sid repository and updating bash,
this suggests the latest version of bash is already installed.

The upgrading seems to be just out of reach!

Something is definitely wrong with the way you are upgrading. The version in Debian sid (unstable) is 4.3.25(1). Here is what I see on my system:

What are the contents of your /etc/apt/sources.list.d/debian-package-repositories.list file?

What was the output of "sudo apt-get update" ?

What was the output of "sudo apt-get install bash" ?

Versions of bash
 

I seem to have two versions of bash installed !

/usr/local/bin/bash --version
=> GNU bash, version 4.3.0(1)-release (x86_64-unknown-linux-gnu)

/bin/bash --version
=> GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu)

So removing /usr/local/bin/bash seems to have done the trick !

bash --version
=> GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu)

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
=> this is a test

Phew, no longer vulnerable.

---------- Post added 10-04-14 at 08:23 PM ----------

So removing /usr/local/bin/bash seems to have done the trick !

bash --version
=> GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu)

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
=> this is a test

Phew, no longer vulnerable.

I don't have /usr/local/bin/bash on my system, so I'm not sure where yours came from.

What files do you have in /etc/apt/ and /etc/apt/sources.list.d/ ?

Files in /etc/apt are as follows:

apt.conf.d preferences sources.list sources.list.d trusted.gpg
apt-file.conf preferences.d sources.list.bk temp.sources.list trusted.gpg.d


files in /etc/apt/sources.list.d/ as follows:
debian-package-repositories.list

cat debian-package-repositories.list
=> deb http://ftp.debian.org/debian sid main contrib non-free

I have been playing with linux containers and nixOS and must have installed
a spurious extra copy of bash, which proved hard to find and fix.

Thanks Eric.

Interesting to note that I don't have /etc/apt/sources.list (or sources.list.bk and temp.sources.list).

Why is this 7 year old thread still here?