Skip to content

Instantly share code, notes, and snippets.

@kacy
Last active June 16, 2020 20:22
Show Gist options
  • Save kacy/2b9408af04c71fab686e to your computer and use it in GitHub Desktop.
Save kacy/2b9408af04c71fab686e to your computer and use it in GitHub Desktop.
CVE-2014-6271 fix for ubuntu bash
---
- hosts: all
user: root
sudo: true
tasks:
- name: update apt
command: apt-get update
- name: update bash
command: apt-get --only-upgrade install bash
- name: check bash fix
command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
register: command_result
failed_when: "'error' not in command_result.stderr"
Copy link

ghost commented Sep 24, 2014

I did, but it's still pulling 4.2-2 - maybe the repo I'm hitting hasn't been updated yet?:
After this operation, 0 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main bash amd64 4.2-2ubuntu2.2 [641 kB]
Fetched 641 kB in 0s (790 kB/s)
(Reading database ... 87088 files and directories currently installed.)
Preparing to replace bash 4.2-2ubuntu2.1 (using .../bash_4.2-2ubuntu2.2_amd64.deb) ...
Unpacking replacement bash ...
Processing triggers for man-db ...
Setting up bash (4.2-2ubuntu2.2) ...
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode.

@whereismyjetpack
Copy link

Does state=latest clear yum cache? (Docs aren't clear) If not may want to run 'yum clean all' prior to running

@apotek
Copy link

apotek commented Sep 29, 2014

There's nothing in this playbook that first ensures the security sources are installed in ubuntu 12. Perhaps the lack of those sources is the issue for @aarongolub.

On Debian Squeeze (approximate to Ubuntu 12), I had to do this first. I don't know what the equivalent ubuntu security sources would be, but that would be the first place I would check @aarongolub.

sudo apt-get install debian-keyring debian-archive-keyring
sudo cat>>/etc/apt/sources.list.d/security.sources.list<<'EOF'
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
EOF
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install debian-security-support
sudo check-support-status
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
foo='() { echo not patched; }' bash -c foo

@jmserra
Copy link

jmserra commented Nov 7, 2014

As for the last task, you could use the shellshocker site script to easily check if all vulnerabilities were resolved by doing:

- name: check vulnerability status fix
  shell: curl https://shellshocker.net/shellshock_test.sh | bash
  register: command_result

- debug: var=command_result.stdout_lines      

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment