Are you vulnerable to Shellshock?

[lilrofl]

Without all the fluff associated with, "What is Shellshock' (that's what Google is for);

from CLI execute:

Code: Select all

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Vulnerable System Output:

Code: Select all

vulnerable
 this is a test

Patched System Output:

Code: Select all

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

Edit: Spelling

[ph0bYx]

Quite vulnerable

[bad_brain]

all fine here, for Debian Wheezy it was patched on the 24th, and for Debian Squeeze yesterday. for Squeeze you have to use the LTS repositories though (LTS = long term support).
so if anyone is still using Squeeze:
https://wiki.debian.org/LTS/Using" onclick="window.open(this.href);return false;




P.S. looking forward to the artificial hype about this vulnerability, since heartbleed this seems to have become a fashion...

[ph0bYx]

I'm on Wheezy. Ran the test again and it seems to be patched, guess I get the updates a bit later

[bad_brain]

hm, what repositories are you using (location-wise)?

[ayu]

Don't forget to test for the vulnerability that was created because of the first patch ^^

[bad_brain]

didn't even was aware there was one....just noticed there were 2 bash updates within a short time...
I trust my good ol' Debian so I didn't bother to check why...I'm such a good admin eh...

[ph0bYx]

hm, what repositories are you using (location-wise)?

I download updates from Germany

[DigitalGangster]

if someone is vulnerable how would they go about doing a patch? since apt-get update/ upgrade hasn't worked

[lilrofl]

assuming you are using a currently supported version of Ubuntu or Debian:

Code: Select all

sudo apt-get update && sudo apt-get install --only-upgrade bash

Assuming you are using a no longer supported version of Ubuntu or Debian:

Code: Select all

sudo do-release-upgrade

and recheck.

[bad_brain]

if it's Debian Squeeze then note that it's the first Debian release where they test long term support, so even if it's "officially" not updated anymore you can simply switch to the pseudo-experimental LTS repositories....which works perfectly fine for me on 2 productive servers.

all you have to do is to add those lines to /etc/apt/sources.list

Code: Select all

deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

then update&upgrade as usual.

[DigitalGangster]

I'm using backbox which is based on ubuntu, i tried the commands for both unsupported and supported linux verisons..i've yet to try putting the URLS in my resp as B_B suggested since i'm not on a offical debian distro but since mine is based on ubuntu which is based on debian it shouldn't make a difference should it?

[lilrofl]

I think it will work still. There is a chance that it will not work, but in not working it will not cause any additional problems that I can think of.