How do I patch the shellshock vulnerability on an obsolete Ubuntu system that I can't upgrade?
I have a system that I administer remotely (2 timezones away) that runs Ubuntu 9.04, Jaunty. For various reasons, mainly that I'm really leery about trying to do a distribution upgrade from so far away, I can't upgrade it to a more recent version. Obviously it's no longer supported and there aren't any official patches. Are there instructions available as to how I can patch the code and recompile bash myself to remove the shellshock vulnerabilities?
Solution 1:
Stole this from AskUbuntu, from someone who stole it off of Hacker News. Worked on two old servers for me
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 1 28); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 1 28);do patch -p0 < ../bash43-$i; done
#build and install
./configure --prefix=/ && make && make install
cd ..
cd ..
rm -r src
Update: I just noticed that if you don't add --prefix=/
to the configure command you'll end up with /usr/local/bin/bash
that is up to date and /bin/bash
will still be vulnerable.
Solution 2:
There's also a solution of updating your sources.list to the newest one and then using apt-get to upgrade only bash. It's really quick and I've written an article about it. Here's what you basically do:
Upgrade to latest Ubuntu 'trusty' apt-get repositories (you might also have to change old-repositories.ubuntu.com URLs if you use them, check linked article):
sudo sed -i 's/YOUR_OS_CODENAME/trusty/g' /etc/apt/sources.list
Upgrade bash / apply fix:
sudo apt-get update
sudo apt-get install --only-upgrade bash
And possibly change back apt-get repositories.