-
-
Save kacy/2b9408af04c71fab686e to your computer and use it in GitHub Desktop.
| --- | |
| - hosts: all | |
| user: root | |
| sudo: true | |
| tasks: | |
| - name: update apt | |
| command: apt-get update | |
| - name: update bash | |
| command: apt-get --only-upgrade install bash | |
| - name: check bash fix | |
| command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" | |
| register: command_result | |
| failed_when: "'error' not in command_result.stderr" |
You also should do
- name: relink libraries
command: /sbin/ldconfig
Or you could reboot
I'm on ubuntu 12.04. I tried running "sudo apt-get --only-upgrade install bash" and this was the result:
Building dependency tree
Reading state information... Done
bash is already the newest version.
But then I ran this: " env x='() { :;}; echo vulnerable' bash -c "echo this is a test" " and the result was:
vulnerable
this is a test
What am I missing?
@aarongolub -- did you also do apt-get update?
It looks like 12.04 was updated 2 hours ago
I did, but it's still pulling 4.2-2 - maybe the repo I'm hitting hasn't been updated yet?:
After this operation, 0 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main bash amd64 4.2-2ubuntu2.2 [641 kB]
Fetched 641 kB in 0s (790 kB/s)
(Reading database ... 87088 files and directories currently installed.)
Preparing to replace bash 4.2-2ubuntu2.1 (using .../bash_4.2-2ubuntu2.2_amd64.deb) ...
Unpacking replacement bash ...
Processing triggers for man-db ...
Setting up bash (4.2-2ubuntu2.2) ...
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode.
Does state=latest clear yum cache? (Docs aren't clear) If not may want to run 'yum clean all' prior to running
There's nothing in this playbook that first ensures the security sources are installed in ubuntu 12. Perhaps the lack of those sources is the issue for @aarongolub.
On Debian Squeeze (approximate to Ubuntu 12), I had to do this first. I don't know what the equivalent ubuntu security sources would be, but that would be the first place I would check @aarongolub.
sudo apt-get install debian-keyring debian-archive-keyring
sudo cat>>/etc/apt/sources.list.d/security.sources.list<<'EOF'
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
EOF
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install debian-security-support
sudo check-support-status
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
foo='() { echo not patched; }' bash -c foo
As for the last task, you could use the shellshocker site script to easily check if all vulnerabilities were resolved by doing:
- name: check vulnerability status fix
shell: curl https://shellshocker.net/shellshock_test.sh | bash
register: command_result
- debug: var=command_result.stdout_lines
And here's a slightly modified version that will work with apt or yum.
tasks: - name: update bash with apt apt: name=bash state=latest update_cache=yes when: ansible_os_family == 'Debian' - name: update bash with yum yum: name=bash state=latest when: ansible_os_family == 'RedHat' - name: check bash fix command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" register: command_result failed_when: "'error' not in command_result.stderr"