Today I upgraded Bash on my Linux CentOS 6.5 machine to patch against the ‘ShellShock’ exploit CVE-2014-6271.
There’s a command to confirm the vulnerability (command below in bold, logged in as root). If the word ‘vulnerable’ is output, then the system is vulnerable. Mine returned:
[root@localhost ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test
By issuing the ‘bash –version’ command I could see my system was running Bash 4.1.2(1):
[root@localhost ~]# bash --version GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Running the following ‘yum list bash’ command showed what Bash package I currently had installed, 4.1.2-15.el6_4:
[root@localhost ~]# yum list bash Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: mirror.bytemark.co.uk * extras: mirror.bytemark.co.uk * updates: mirror.sov.uk.goscomb.net adobe-linux-i386 | 951 B 00:00 adobe-linux-x86_64 | 951 B 00:00 base | 3.7 kB 00:00 extras | 3.3 kB 00:00 updates | 3.4 kB 00:00 updates/primary_db | 5.3 MB 00:02 Installed Packages bash.x86_64 4.1.2-15.el6_4 @anaconda-CentOS-201311272149.x86_64/6.5 Available Packages bash.x86_64 4.1.2-15.el6_5.1 updates
and it also indicated that a newer package was available, el6_5.1.
The good CentOS developer folk released the updated package pretty quickly to patch this, so upgrading to it was very easy:
[root@localhost ~]# yum update bash
That completed successfully, and I didn’t need to reboot my system. Now when I run the vulnerability test, I get:
[root@localhost ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Notice I don’t get the ‘vulnerable’ string output anymore.
Running ‘yum list bash’ now shows I have the most recent el6_5.1 version installed:
[root@localhost ~]# yum list bash Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: mirror.bytemark.co.uk * extras: mirror.bytemark.co.uk * updates: mirror.sov.uk.goscomb.net Installed Packages bash.x86_64 4.1.2-15.el6_5.1 @updates
So that’s my system patched and up to date.
Curiously, when I do a ‘bash –version’, the version there hasn’t changed, it’s still 4.1.2(1), even after a system reboot:
[root@localhost ~]# bash --version GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.