How do I fix the Shellshock security vulnerability in debian testing/jessie?

security linux debian shellshock

Download the package from unstable via this link. You can check the dependencies there as well, although it looks like the unstable bash has the same dependencies as the bash from testing. Install the downloaded deb with the following.

dpkg -i

I've edited this answer for the additional bash fixes that were released on Monday.

For Ubuntu 12.04, I ran an update, but also had to run the install for bash to get rid of the vulnerability.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

That command shows the system is vulnerable, so run the update.

apt-get update && apt-get -y upgrade

Test again.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

Still vulnerable.

apt-get install -y bash

Test again.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Edit: After the additional patches were released, the output has changed.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

Yay! Fixed. This should work for other versions, but I haven't tested it beyond 12.04.

Also, runamok's reply below works well, so give him an upvote!


An alternative for Debian 6.0 (Squeeze) without fetching packages from Debian 7 (Wheezy):

Use the LTS security repository that has the patch backported.

Add this to /etc/apt/sources.list:

#LTS security
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Then run apt-get update && apt-get install bash.

Via: linuxquestions


apt-get update before apt-get dist-upgrade and you will get the patch. Just did it myself and there was a bash upgrade pushed which fixes the problem.


I fixed it on my Hackintosh by:

$ brew install bash 

$ x='() { :;}; echo vulnerable' bash
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash-4.3$

Related

Website error: "Walmart can’t use this browser" [closed]
How to force Network Manager to rescan connections?
Bash: can I set Ctrl-Backspace to delete the word backward?
What is the difference between a GPU and a graphics card in a pc?
What's the difference between SIGKILL and SIGSTOP?
Send only video out with HDMI cable
To explain or to be explained
Difference between “combination of ” and “combination between”
Plural or singular verb for collective term
What is a sentence fragment? [closed]
Need polite phrases expressing disagreement with the information/conclusions of another person, especially an educator [closed]
Grammar questions on the usage of "some" and "some of the" [closed]