What is a recommended way to patch the Shellshock Bash bug on an unsupported Ubuntu server?
Solution 1:
This write up was helpful and worked for the few instances of Ubuntu 12.10 (Quantal) I still have to support.
Fix Bash Exploit On New and Old Releases of Ubuntu
In Summary, the steps are:
-
Get the codename of your current release (e.g. quantal) and store it in a variable:
lsb_release -a DISTRIB_CODENAME=quantal -
Change source to trusty in
/etc/apt/sources.list. For example,sudo sed -i "s/$DISTRIB_CODENAME/trusty/g" /etc/apt/sources.list -
Update and upgrade bash
sudo apt-get update sudo apt-get install --only-upgrade bash -
Verify latest version fails the following test (i.e. you should not see "busted")
env X="() { :;} ; echo busted" `which bash` -c "echo completed" -
Revert /etc/apt/sources.list to use current codename. For example,
sudo sed -i "s/trusty/$DISTRIB_CODENAME/g" /etc/apt/sources.list
Solution 2:
https://shellshocker.net/#fix has some good tools for manually updating bash.
curl https://shellshocker.net/fixbash | sh
You can also test if your system is vulnerable:
curl https://shellshocker.net/shellshock_test.sh | bash
Run it at your own risk. Here's the script it runs if the above link expires or you don't want to trust it:
cd ~/
mkdir bash-shellshocker
cd bash-shellshocker
echo "Downloading Bash..."
wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
echo "Downloading Bash patches..."
i=0
rtn=0
while [ $rtn -eq 0 ]; do
i=`expr $i + 1`
wget https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf '%03g' $i)
rtn=$?
done
i=`expr $i - 1`
echo "Extracting bash from tar.gz..."
tar zxvf bash-4.3.tar.gz
cd bash-4.3
echo "Applying Patches..."
for j in $(seq -f "%03g" 1 $i);do patch -p0 < ../bash43-$j; done
echo "Ready to install. Configuring..."
./configure --prefix=/
echo "Running make"
make
if [[ "$USER" == "root" ]]
then
echo "Running make install"
make install
cp /bin/bash /usr/local/bin/bash
else
echo "Running make install (You may need to type your sudo password here)"
sudo make install
sudo cp /bin/bash /usr/local/bin/bash
fi
https://github.com/wreiske/shellshocker/blob/master/fixbash is where the script can be found
good luck
Solution 3:
As you should only install this kind of security update from a recognized provider, the solution of compiling from sources is the only one you have.
Solution 4:
The answer from lumpygator helped me, but I think it's too complicated. If you want to install only one package from a newer ubuntu release there is no need to edit sources.list, you can just directly download the package and install it. So in case of the bash shellshock bug go to http://packages.ubuntu.com/trusty/amd64/bash/download, click on the "* security.ubuntu.com/ubuntu" link, this will download the file bash_4.3-7ubuntu1.5_amd64.deb. Alternatively you can run the command:
wget http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.3-7ubuntu1.5_amd64.deb
After you got the new package you can install it directly with:
dpkg -i bash_4.3-7ubuntu1.5_amd64.deb
This worked for me on Saucy (13.10).
(Replace amd64 with i386 if you have a 32bit system.)
Solution 5:
Yes, the script provided by shellshocker.net is working.
But for Ubuntu 11.04 (Natty Narwhal), 11.10 (Oneiric Ocelot), 12.04 LTS (Precise Pangolin), 12.10 (Quantal Quetzal), 13.04 (Raring Ringtail), and 13.10 (Saucy Salamander) at least, the version of the Bash package is 4.2, so the script needs a few changes:
cd ~/
mkdir bash
cd bash
wget https://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz
for i in $(seq -f "%03g" 0 49); do wget https://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-$i; done
tar zxvf bash-4.2.tar.gz
cd bash-4.2
for i in $(seq -f "%03g" 0 49); do patch -p0 < ../bash42-$i; done
./configure && make
sudo make install
And you have to install Bison for the "make" command to work:
sudo apt-get install bison