Can not update Bash on Debian 6.0 (Squeeze)
You must use the squeeze-lts
repository in order to continue receiving updates to Debian Squeeze
To add this repository, edit /etc/apt/sources.list
and add the line
deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib
(you can remove non-free
and contrib
if desired)
Note that as of this instant, squeeze-lts
only has the updated bash for the original CVE-2014-6271 but has not yet updated to fix the new CVE-2014-7169.
To update only bash, after running apt-get update
use apt-get install bash
to install just bash, instead of a complete upgrade.
I had to add LTS repositories to update bash which fixes the Shellshock vulnerability on Debian Squeeze. I hope someone else finds this useful:
First, check to see if your box is vulnerable. Cut/paste this to your command line:
env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED"' \
bash --norc -c ':' 2>/dev/null;
If you get a response like:
WARNING: SHELLSHOCK DETECTED
As I did in Squeeze, you have the vulnerability. You'll have to update your repositories to the LTS version to get the updates, by commenting out your current repository lines starting with 'deb' in your /etc/apt/sources.list file and then adding these:
deb http://http.debian.net/debian/ squeeze main contrib non-free
deb-src http://http.debian.net/debian/ squeeze main contrib non-free
deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free
deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free
Now you should update your local cache and install the upgraded bash (their servers are slow now because everyone's updating, so just pull down the bash one for bandwidth's sake):
apt-get update && apt-get install --only-upgrade bash
You can do a full system upgrade later. Now run the vulnerability check script above and you shouldn't get any text output, which means you're patched :)
I've already updated every Debian 6.0 (Squeeze) system I have access to, to Debian 7 (Wheezy), which was surprisingly mostly painless.
If you can't do that, there do seem to be updates in Squeeze-LTS; it has a copy of Bash with yesterday's date, 4.1.3+deb6u1.
Debian 6.0 (Squeeze) is not supported anymore. See the Debian Security Announcement for the reasons.
If you want to have security updates you need to change your sources.list
. This is what you need to enter:
cat /etc/apt/sources.list | grep lts
deb http://ftp2.de.debian.org/debian squeeze-lts main contrib non-free
deb-src http://ftp2.de.debian.org/debian squeeze-lts main contrib non-free
This only works for x86 and x64.
So you have to do the following (quoting the wiki):
For binary packages, add this line:
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
For source packages, add this line:
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
Obviously you can decide which package types you want to include.
See this for details on the version you should have once updated:
Debian Security tracker
Source: Debian Wiki