LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Linux Mint
User Name
Password
Linux Mint This forum is for the discussion of Linux Mint.

Notices


Reply
  Search this Thread
Old 09-27-2014, 11:11 AM   #1
eric.r.turner
Member
 
Registered: Aug 2003
Location: Planet Earth
Distribution: Linux Mint Debian Edition (LMDE)
Posts: 215

Rep: Reputation: 31
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Instructions to Update Bash in LMDE Fix ShellShock


I thought I'd post these instructions here since I haven't seen a clear, concise description of what LMDE (Linux Mint Debian Edition) users should do to update bash to fix ShellShock vulnerability.

Are You Vulnerable?

First, verify that you are vulnerable. From a terminal execute:

Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the response includes "vulnerable" then you need to upgrade bash.

Add The Debian Repository

Currently (September 27, 2014 11:00 EDT) LMDE hasn't provided an update for bash. You can install it from Debian.

Create /etc/apt/sources.list.d/debian-package-repositories.list containing the following:

Code:
deb http://ftp.debian.org/debian sid main contrib non-free
Upgrading

$ sudo apt-get update

WARNING: DO NOT RUN sudo apt-get upgrade !!!

$ sudo apt-get install bash

When you are prompted to overwrite .bashrc enter N


Cleanup

When you are finished remove /etc/apt/sources.list.d/debian-package-repositories.list or just comment out the one line with a # at the beginning of the line.

You probably don't need to do this, but I rebooted and ran the test to verify that I no longer have the vulnerability.
 
Old 09-27-2014, 01:46 PM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,364
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by eric.r.turner View Post
Upgrading

$ sudo apt-get update

WARNING: DO NOT RUN sudo apt-get upgrade !!!

$ sudo apt-get install bash
I've been using
Code:
apt-get install --only-upgrade bash
on my Ubu-flavored hosts to only upgrade only bash.

Hope that helps.
 
Old 09-28-2014, 07:46 AM   #3
cepheus11
Member
 
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286

Rep: Reputation: 89
Why is this neccesary? Why doesn't LMDE's update mechanism handle this very important update?
 
Old 09-28-2014, 09:20 AM   #4
eric.r.turner
Member
 
Registered: Aug 2003
Location: Planet Earth
Distribution: Linux Mint Debian Edition (LMDE)
Posts: 215

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by cepheus11 View Post
Why is this neccesary? Why doesn't LMDE's update mechanism handle this very important update?
Good question for the LMDE maintainer (I think his name is Clem). In my experience LMDE updates take a bit longer to filter down from Debian Testing, but they eventually show up.
 
Old 09-28-2014, 10:43 AM   #5
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,364
Blog Entries: 37

Rep: Reputation: Disabled
http://forums.linuxmint.com/viewtopi...f=198&t=178991

Short answer, Clem is "out of office" until next week?
 
Old 10-04-2014, 02:56 PM   #6
xyzmjf
LQ Newbie
 
Registered: Oct 2014
Posts: 5

Rep: Reputation: Disabled
The update manager history shows bash updated to 4.3.9.2
However bash --version => 4.3.0(1)
and the following code still indicates bash vulnerability

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

I have also tried adding the sid repository and updating bash,
this suggests the latest version of bash is already installed.

The upgrading seems to be just out of reach!
 
Old 10-04-2014, 03:13 PM   #7
eric.r.turner
Member
 
Registered: Aug 2003
Location: Planet Earth
Distribution: Linux Mint Debian Edition (LMDE)
Posts: 215

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by xyzmjf View Post
The update manager history shows bash updated to 4.3.9.2
However bash --version => 4.3.0(1)
and the following code still indicates bash vulnerability

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

I have also tried adding the sid repository and updating bash,
this suggests the latest version of bash is already installed.

The upgrading seems to be just out of reach!
Something is definitely wrong with the way you are upgrading. The version in Debian sid (unstable) is 4.3.25(1). Here is what I see on my system:

Code:
$ bash --version
GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
What are the contents of your /etc/apt/sources.list.d/debian-package-repositories.list file?

What was the output of "sudo apt-get update" ?

What was the output of "sudo apt-get install bash" ?
 
Old 10-04-2014, 03:20 PM   #8
xyzmjf
LQ Newbie
 
Registered: Oct 2014
Posts: 5

Rep: Reputation: Disabled
Versions of bash

I seem to have two versions of bash installed !

/usr/local/bin/bash --version
=> GNU bash, version 4.3.0(1)-release (x86_64-unknown-linux-gnu)

/bin/bash --version
=> GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu)
 
Old 10-04-2014, 03:23 PM   #9
xyzmjf
LQ Newbie
 
Registered: Oct 2014
Posts: 5

Rep: Reputation: Disabled
So removing /usr/local/bin/bash seems to have done the trick !

bash --version
=> GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu)

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
=> this is a test

Phew, no longer vulnerable.

---------- Post added 10-04-14 at 08:23 PM ----------

So removing /usr/local/bin/bash seems to have done the trick !

bash --version
=> GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu)

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
=> this is a test

Phew, no longer vulnerable.
 
Old 10-04-2014, 03:26 PM   #10
eric.r.turner
Member
 
Registered: Aug 2003
Location: Planet Earth
Distribution: Linux Mint Debian Edition (LMDE)
Posts: 215

Original Poster
Rep: Reputation: 31
I don't have /usr/local/bin/bash on my system, so I'm not sure where yours came from.

What files do you have in /etc/apt/ and /etc/apt/sources.list.d/ ?
 
Old 10-04-2014, 03:31 PM   #11
xyzmjf
LQ Newbie
 
Registered: Oct 2014
Posts: 5

Rep: Reputation: Disabled
Files in /etc/apt are as follows:

apt.conf.d preferences sources.list sources.list.d trusted.gpg
apt-file.conf preferences.d sources.list.bk temp.sources.list trusted.gpg.d


files in /etc/apt/sources.list.d/ as follows:
debian-package-repositories.list

cat debian-package-repositories.list
=> deb http://ftp.debian.org/debian sid main contrib non-free

I have been playing with linux containers and nixOS and must have installed
a spurious extra copy of bash, which proved hard to find and fix.

Thanks Eric.
 
Old 10-04-2014, 03:36 PM   #12
eric.r.turner
Member
 
Registered: Aug 2003
Location: Planet Earth
Distribution: Linux Mint Debian Edition (LMDE)
Posts: 215

Original Poster
Rep: Reputation: 31
Interesting to note that I don't have /etc/apt/sources.list (or sources.list.bk and temp.sources.list).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Apache2 Fail2ban Filter charly78 Linux - Security 12 10-25-2014 12:36 PM
[SECURITY NOTICE!] Bash 4.3 (shellshock, CVE-2014-6271 and CVE-2014-7169) ReaperX7 Linux From Scratch 2 09-28-2014 07:47 AM
LXer: Shellshock update: bash packages that resolve CVE-2014-6271 and CVE-2014-7169 available LXer Syndicated Linux News 1 09-26-2014 02:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Linux Mint

All times are GMT -5. The time now is 07:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration