How do I fix the Shellshock security vulnerability in debian testing/jessie?

Download the package from unstable via this link. You can check the dependencies there as well, although it looks like the unstable bash has the same dependencies as the bash from testing. Install the downloaded deb with the following.

dpkg -i

I've edited this answer for the additional bash fixes that were released on Monday.

For Ubuntu 12.04, I ran an update, but also had to run the install for bash to get rid of the vulnerability.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

That command shows the system is vulnerable, so run the update.

apt-get update && apt-get -y upgrade

Test again.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

Still vulnerable.

apt-get install -y bash

Test again.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Edit: After the additional patches were released, the output has changed.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

Yay! Fixed. This should work for other versions, but I haven't tested it beyond 12.04.

Also, runamok's reply below works well, so give him an upvote!


An alternative for Debian 6.0 (Squeeze) without fetching packages from Debian 7 (Wheezy):

Use the LTS security repository that has the patch backported.

Add this to /etc/apt/sources.list:

#LTS security
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Then run apt-get update && apt-get install bash.

Via: linuxquestions


apt-get update before apt-get dist-upgrade and you will get the patch. Just did it myself and there was a bash upgrade pushed which fixes the problem.


I fixed it on my Hackintosh by:

$ brew install bash

$ x='() { :;}; echo vulnerable' bash
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash-4.3$