What is a recommended way to patch the Shellshock Bash bug on an unsupported Ubuntu server?
Solution 1
This write up was helpful and worked for the few instances of Ubuntu 12.10 (Quantal) I still have to support.
Fix Bash Exploit On New and Old Releases of Ubuntu
In Summary, the steps are:
-
Get the codename of your current release (e.g. quantal) and store it in a variable:
lsb_release -a DISTRIB_CODENAME=quantal
-
Change source to trusty in
/etc/apt/sources.list
. For example,sudo sed -i "s/$DISTRIB_CODENAME/trusty/g" /etc/apt/sources.list
-
Update and upgrade bash
sudo apt-get update sudo apt-get install --only-upgrade bash
-
Verify latest version fails the following test (i.e. you should not see "busted")
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
-
Revert /etc/apt/sources.list to use current codename. For example,
sudo sed -i "s/trusty/$DISTRIB_CODENAME/g" /etc/apt/sources.list
Solution 2
https://shellshocker.net/#fix has some good tools for manually updating bash.
curl https://shellshocker.net/fixbash | sh
You can also test if your system is vulnerable:
curl https://shellshocker.net/shellshock_test.sh | bash
Run it at your own risk. Here's the script it runs if the above link expires or you don't want to trust it:
cd ~/
mkdir bash-shellshocker
cd bash-shellshocker
echo "Downloading Bash..."
wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
echo "Downloading Bash patches..."
i=0
rtn=0
while [ $rtn -eq 0 ]; do
i=`expr $i + 1`
wget https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf '%03g' $i)
rtn=$?
done
i=`expr $i - 1`
echo "Extracting bash from tar.gz..."
tar zxvf bash-4.3.tar.gz
cd bash-4.3
echo "Applying Patches..."
for j in $(seq -f "%03g" 1 $i);do patch -p0 < ../bash43-$j; done
echo "Ready to install. Configuring..."
./configure --prefix=/
echo "Running make"
make
if [[ "$USER" == "root" ]]
then
echo "Running make install"
make install
cp /bin/bash /usr/local/bin/bash
else
echo "Running make install (You may need to type your sudo password here)"
sudo make install
sudo cp /bin/bash /usr/local/bin/bash
fi
https://github.com/wreiske/shellshocker/blob/master/fixbash is where the script can be found
good luck
Solution 3
As you should only install this kind of security update from a recognized provider, the solution of compiling from sources is the only one you have.
Solution 4
The answer from lumpygator helped me, but I think it's too complicated. If you want to install only one package from a newer ubuntu release there is no need to edit sources.list
, you can just directly download the package and install it. So in case of the bash shellshock bug go to http://packages.ubuntu.com/trusty/amd64/bash/download, click on the "* security.ubuntu.com/ubuntu" link, this will download the file bash_4.3-7ubuntu1.5_amd64.deb
. Alternatively you can run the command:
wget http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.3-7ubuntu1.5_amd64.deb
After you got the new package you can install it directly with:
dpkg -i bash_4.3-7ubuntu1.5_amd64.deb
This worked for me on Saucy (13.10).
(Replace amd64 with i386 if you have a 32bit system.)
Solution 5
Yes, the script provided by shellshocker.net is working.
But for Ubuntu 11.04 (Natty Narwhal), 11.10 (Oneiric Ocelot), 12.04 LTS (Precise Pangolin), 12.10 (Quantal Quetzal), 13.04 (Raring Ringtail), and 13.10 (Saucy Salamander) at least, the version of the Bash package is 4.2, so the script needs a few changes:
cd ~/
mkdir bash
cd bash
wget https://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz
for i in $(seq -f "%03g" 0 49); do wget https://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-$i; done
tar zxvf bash-4.2.tar.gz
cd bash-4.2
for i in $(seq -f "%03g" 0 49); do patch -p0 < ../bash42-$i; done
./configure && make
sudo make install
And you have to install Bison for the "make" command to work:
sudo apt-get install bison
Related videos on Youtube
smonff
Updated on September 18, 2022Comments
-
smonff over 1 year
I maintain an out-of-support Ubuntu 12.10 (Quantal Quetzal) server (don't ask me why, please), and we need to patch the Shellshock Bash security bug. As upgrades are not available anymore, what is the recommended way to patch Bash?
I found this answer (it recommends retrieving packages from Debian and to not install binaries packages, but install packages from source). That seems OK to me, but what is some other advice?
-
Michael Hampton over 9 yearsChange to a supported LTS release.
-
Stefan Lasiewski over 9 yearsKeep in mind that 12.10 has plenty of other security vulnerabilities beside Shellshock.
-
smonff over 8 years@MichaelHampton This server has been destroyed, thanx.
-
-
ceejayoz over 9 yearsThe idea of fixing a bash vulnerability by using a website URL piped into bash is kinda scary (even if they do appear to be legit).
-
Craig over 9 years@ceejayoz - I did check the script by downloading it first before running it. Of course that doesn't guarantee you'll get the same script every time you run it, so run this at your own risk. The best way is to download it and check it first and then run it locally.
-
smonff over 9 yearsThis website don't recommend to do so: you should always use your package manager if possible. There is (unfortunately) some cases where it is not possible, I admit it is terrific. They provide a solution for people with a specific problem, I hope most of the people know that it's not a good practice.
-
gymbrall over 9 yearsFYI - the provided GNU patches at the time of this comment do not resolve all of the shellshock exploits. See this article for how to test your bash installation: access.redhat.com/articles/1200223
-
Madura Anushanga over 9 yearsThe above proposed download and compile method does not install bash to the correct place, it installs it at /usr/local/bin the system uses /bin/bash. So make sure to symlink it when you are done installing. I'd not recommend using ./configure --prefix=/ that will cause other dirs like share to be made on root
-
smonff over 9 yearsI noticed this difference. Why shouldn't we use 4.3 on these Ubuntu versions ? Can it break core system elements or other bad stuff?
-
smonff over 9 yearsVery nice answer, I were searching for something like this
-
CMCDragonkai over 9 yearsAwesome, this worked for 13.10, read the link!
-
ethree over 9 yearsIt also installs in the correct place. Want to contribute? Check it out on GitHub and send in a pull request. github.com/wreiske/shellshocker/blob/master/fixbash
-
Ame Nomade over 9 yearsin general, if you administer some online servers, then you shouldn't upgrade because a new version is here. You should ask yourself: 1°) what's inside this new version 2°) do I need it? ; Otherwise, just keep stuff as is. This is my advise. And stick to LTS versions
-
Arunabh Das over 9 yearsExcellent answer!!
-
smonff over 9 yearsNote for Bash users : you need to use double quotes to interpolate the variables
sed -i "s/trusty/$DISTRIB_CODENAME/g" /etc/apt/sources.list