==============================================================================
Check if you need to update
Running this:
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If you are vulnerable , you will see:
”
vulnerable
hello”
If you are not, you will see
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
hello
==============================================================================
CHECK your package
dpkg -s bash | grep Version
==============================================================================
HOW TO FIX
==============================================================================
METHOD1:
==============================================================================
sudo apt-get update && sudo apt-get install bash
==============================================================================
METHOD2: compile your self
to make this run , you must have “patch”
apt-get install patch
==============================================================================
cd /root
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f “%03g” 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f “%03g” 0 25);do patch -p0 < ../bash43-$i; done
#build and install
./configure && make && make install
cd ..
cd ..
rm -r src
===========================================================================
METHOD3:
====================================================================
sudo do-release-upgrade
===================================================================
METHOD4
==========================================================================
mkdir src && cd src
wget https://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz
tar zxvf bash-3.2.tar.gz
cd bash-3.2
# download, verify, and apply all patches, including the latest one
# that patches CVE-2014-6271 and CVE-2014-7169.
wget -nv https://ftp.gnu.org/gnu/gnu-keyring.gpg
for i in $(seq -f “%03g” 1 53); do
wget -nv https://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i
wget -nv https://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i.sig
if gpg –verify –keyring ./gnu-keyring.gpg bash32-$i.sig; then
if ! patch -p0 < bash32-$i; then
echo “patch bash32-$i failed”
exit 1
fi
else
echo “patch bash32-$i has a bad signature!”
exit 2
fi
done
# compile and install to /usr/local/bin/bash
./configure && make
sudo make install
# point /bin/bash to the new binary
if /usr/local/bin/bash -c ‘true’; then
sudo mv /bin/bash /bin/bash.old
sudo ln -s /usr/local/bin/bash /bin/bash
else
echo “bash not installed correctly!”
exit 3
fi
# test by comparing the output of the following
env x='() { :;}; echo vulnerable’ /bin/bash.old -c echo
env x='() { :;}; echo vulnerable’ bash -c echo