Can not update Bash on Debian 6.0 (Squeeze)

bash linux debian

You must use the squeeze-lts repository in order to continue receiving updates to Debian Squeeze

To add this repository, edit /etc/apt/sources.list and add the line

deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib

(you can remove non-free and contrib if desired)

Note that as of this instant, squeeze-lts only has the updated bash for the original CVE-2014-6271 but has not yet updated to fix the new CVE-2014-7169.

To update only bash, after running apt-get update use apt-get install bash to install just bash, instead of a complete upgrade.


I had to add LTS repositories to update bash which fixes the Shellshock vulnerability on Debian Squeeze. I hope someone else finds this useful:

First, check to see if your box is vulnerable. Cut/paste this to your command line:

env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED"' \
bash --norc -c ':' 2>/dev/null;

If you get a response like:

WARNING: SHELLSHOCK DETECTED

As I did in Squeeze, you have the vulnerability. You'll have to update your repositories to the LTS version to get the updates, by commenting out your current repository lines starting with 'deb' in your /etc/apt/sources.list file and then adding these:

deb http://http.debian.net/debian/ squeeze main contrib non-free
deb-src http://http.debian.net/debian/ squeeze main contrib non-free
deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free
deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free

Now you should update your local cache and install the upgraded bash (their servers are slow now because everyone's updating, so just pull down the bash one for bandwidth's sake):

apt-get update && apt-get install --only-upgrade bash

You can do a full system upgrade later. Now run the vulnerability check script above and you shouldn't get any text output, which means you're patched :)


I've already updated every Debian 6.0 (Squeeze) system I have access to, to Debian 7 (Wheezy), which was surprisingly mostly painless.

If you can't do that, there do seem to be updates in Squeeze-LTS; it has a copy of Bash with yesterday's date, 4.1.3+deb6u1.


Debian 6.0 (Squeeze) is not supported anymore. See the Debian Security Announcement for the reasons.

If you want to have security updates you need to change your sources.list. This is what you need to enter:

cat /etc/apt/sources.list | grep lts

deb http://ftp2.de.debian.org/debian squeeze-lts main contrib non-free

deb-src http://ftp2.de.debian.org/debian squeeze-lts main contrib non-free

This only works for x86 and x64.

So you have to do the following (quoting the wiki):

For binary packages, add this line:

deb http://http.debian.net/debian/ squeeze-lts main contrib non-free

For source packages, add this line:

deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Obviously you can decide which package types you want to include.

See this for details on the version you should have once updated:

Debian Security tracker

Source: Debian Wiki

Related

Reliable file transfer over slow or flaky network link
How to scan ipv6 enabled hosts on my LAN?
How do I add no-cache headers to all 404 pages served by apache and nginx?
How to disable https access to specific virtual hosts?
Do bookshelves around an enchantment table make the enchantments better?
How do I protect aircraft carriers especially against submarines?
Perfect 180 turns and aiming
How do I reset parental controls on a Wii system?
Teleport entities relatively to the center of a block
When is it possible to reclaim land in Freeciv by transforming ocean and lake tiles into swamp?
What is the car on the cover of Top Gear/Top Racer?
Does smoke grenade triggers alert or alarm?