This is meant to provide a summary of CVEs and fixes for them revolving around the shellshock collection of bugs. These bugs were primarily related to how bash does parsing of environment variables. Correlation between CVEs and upstream patches/releases has been fairly messy so I'm going to just summarize everything here. This pretty much comes from this oss-sec thread.
Currently I use hannob's bashceck script to do testing for shellshock related vulns.
Bash's versioning is somewhat weird, and you'd best be checking your distro for more information. The distro releases should be patched in some form, or have the latest bash patchsets as follows:
- bash-3.2: Patch 57
- bash-4.0: Patch 44
- bash-4.1: Patch 17
- bash-4.2: Patch 53
- bash-4.3: Patch 30
These are the specific patches for specific CVEs from bash-3.2 to bash-4.3:
- CVE-2014-6271
- bash-3.2: bash32-052
- bash-4.0: bash40-039
- bash-4.1: bash41-012
- bash-4.2: bash42-048
- bash-4.3: bash43-025
- CVE-2014-7169
- bash-3.2: bash32-053
- bash-4.0: bash40-040
- bash-4.1: bash41-013
- bash-4.2: bash42-049
- bash-4.3: bash43-026
- exported function namespace change (Prevention of generic vulns)
- bash-3.2: bash32-054
- bash-4.0: bash40-041
- bash-4.1: bash41-014
- bash-4.2: bash42-050
- bash-4.3: bash43-027
- CVE-2014-7186/CVE-2014-7187
- bash-3.2: bash32-055
- bash-4.0: bash40-042
- bash-4.1: bash41-015
- bash-4.2: bash42-051
- bash-4.3: bash43-028
- CVE-2014-6277
- bash-3.2: bash32-056
- bash-4.0: bash40-043
- bash-4.1: bash41-016
- bash-4.2: bash42-052
- bash-4.3: bash43-029
- CVE-2014-6278
- bash-3.2: bash32-057
- bash-4.0: bash40-044
- bash-4.1: bash41-017
- bash-4.2: bash42-053
- bash-4.3: bash43-030
- If patches don't work for you try removing the patchset chunk and seeing if that works
- If having trouble reading the context diffs, try patchutils' filterdiff command. An example run:
filterdiff -v --format=unified bash43-030 > bash43-030-unified.diff