Author Topic: Shellshock vulnerability - do we need to do anything?  (Read 104 times)

purps

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1391
  • If it ain't broke, tweak it
    • View Profile
Not wanting to start a panic or anything, but thought I should ask the question seeing as we are all using Linux and not only that, using it as a gateway/router.

I had an email come round at work warning us of this potential weakness. It was recommended we run the following command...
Quote
env X="() { :;} ; echo vulnerable" /bin/sh -c "echo this is a test

...to see if we are vulnerable. If I am to believe this test, then apparently I am.

What can we do, if anything?

Cheers,
Matt.
1004 RC :: looking good :: upgraded 01/04/2013
my setup :: http://wiki.linuxmce.org/index.php/User:Purps

coley

  • Guru
  • ****
  • Posts: 480
    • View Profile
Re: Shellshock vulnerability - do we need to do anything?
« Reply #1 on: Today at 11:47:13 am »
Code: [Select]
apt-get update && apt-get upgradeshould sort you out - updated bash packages have been released already.

-Coley.

purps

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1391
  • If it ain't broke, tweak it
    • View Profile
Re: Shellshock vulnerability - do we need to do anything?
« Reply #2 on: Today at 01:20:01 pm »
Yeah I was afraid somebody might say that :-)

Is there any way to upgrade only the packages affected by this issue?

Cheers,
Matt.
1004 RC :: looking good :: upgraded 01/04/2013
my setup :: http://wiki.linuxmce.org/index.php/User:Purps

coley

  • Guru
  • ****
  • Posts: 480
    • View Profile
Re: Shellshock vulnerability - do we need to do anything?
« Reply #3 on: Today at 02:07:53 pm »
Code: [Select]
sudo apt-get install bash
-Coley.

purps

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1391
  • If it ain't broke, tweak it
    • View Profile
Re: Shellshock vulnerability - do we need to do anything?
« Reply #4 on: Today at 04:12:40 pm »
I'm getting the following error:

Code: [Select]
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  bash-doc
Recommended packages:
  bash-completion
The following packages will be upgraded:
  bash
1 upgraded, 0 newly installed, 0 to remove and 172 not upgraded.
Need to get 0B/647kB of archives.
After this operation, 57.3kB disk space will be freed.
WARNING: The following packages cannot be authenticated!
  bash
Authentication warning overridden.
(Reading database ... 132533 files and directories currently installed.)
Preparing to replace bash 4.1-2ubuntu3 (using .../bash_4.1-2ubuntu3.4_i386.deb) ...
Unpacking replacement bash ...
dpkg: error processing /var/cache/apt/archives/bash_4.1-2ubuntu3.4_i386.deb (--unpack):
 trying to overwrite '/bin/sh', which is also in package dash 0:0.5.5.1-3ubuntu2
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode.
Processing triggers for man-db ...
Errors were encountered while processing:
 /var/cache/apt/archives/bash_4.1-2ubuntu3.4_i386.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

I have tried "sudo apt-get install --true-upgrade bash" and "sudo apt-get install --reinstall bash" also.

Cheers,
Matt.

EDIT: Could I chroot from a live CD or something? If yes, to what directory? Or have I misunderstood how one uses chroot?
« Last Edit: Today at 04:19:42 pm by purps »
1004 RC :: looking good :: upgraded 01/04/2013
my setup :: http://wiki.linuxmce.org/index.php/User:Purps