How to patch bash for shell shock in CentOS, Ubuntu, etc..

By | September 25, 2014

If you’ve read about the recent bash bug ‘shell shock’, then you’ll want to patch your system(s)! You’ll be patched up in no time!

Patch your system

For CentOS, Fedora, Red Hat (and the like) users, just type this to update it (yes, there’s already a patch, and you’ll be patched up in about 10 seconds)

For Debian, Ubuntu (and the like) users, type this to update bash:

(This will update the list of packages, then install the latest bash)


Test your system

To test your system, log into your bash shell and type:

(from shellshocker.net)

If you see “vulnerable” afterwards, you haven’t patched it.
If you see “this is a test”, you’re patched.


Patch all your systems at once

If you have a slew of linux servers you can update them all at once with this little script that will hit each one that you provide in the list and update them.


Have you been ‘tested’ by people yet??

LinuxBrigade has a nice tutorial explaining how to find out of you’ve been ‘tested’ yet by the community.. also, how to auto block them with CSF!
Article here: http://www.linuxbrigade.com/bash-shellshock-bug-find-youve-tested/


Update: Shellshock – A week later

KennedyProjects reminds people that they’re there to help if you are having issues patching for Shellshock

70 thoughts on “How to patch bash for shell shock in CentOS, Ubuntu, etc..

  1. malte

    Hey – I ran the command on one of my production servers running Ubuntu and I get the following result before and after the bash upgrade:
    $ env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
    vulnerable
    hello

    Did I run the wrong check-hack command?

    Reply
  2. Rob Post author

    When you upgraded – what version of bash did it install?

    You can run:
    bash –version

    Reply
  3. Anthony

    The command for Ubuntu should be this:

    sudo apt-get update && sudo apt-get install –only-upgrade bash

    Reply
  4. Chris

    Like Malte, I am using the latest versions of Ubuntu & bash, but I failed the check-hack. Any ideas. So it seems the current version is /not/ patched sufficiently.

    Reply
    1. Rob Post author

      Chris, did you do the apt-get update first?
      What version of bash are you running after the update?
      bash –version
      (two dashes there before ‘version’)

      Reply
  5. Pingback: How To Check If Your Mac Or Linux Machine Is Vulnerable To Shellshock | Lifehacker Australia

  6. Lanidarc

    If there isn’t a patch available over the yum or apt-get route for your version, here’s an easy cookbook to patch and install from source:

    # test: env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
    mkdir src
    cd src
    wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
    #download all patches
    for i in $(seq -f “%03g” 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
    tar zxvf bash-4.3.tar.gz
    cd bash-4.3
    #apply all patches
    for i in $(seq -f “%03g” 0 25);do patch -p0 < ../bash43-$i; done
    #build and install
    ./configure && make && make install
    cd ..
    cd ..
    rm -rf src

    Reply
    1. Oliver

      Thanks Lanidarc, I hope more websites pick up your string of commands to automate downloading from source, patching and installing (particularly useful for older systems that won’t be able to yum install a new enough version of bash).

      Note for anyone trying this command that “” inverted commas are being customised into open & close variants by the website – replace them with normal ones or the wget commands for the patches won’t work.

      Reply
      1. Ted

        Oliver, not sure what you mean about the inverted commas. Can you show an example of the command as it should be or explain? Thanks.

        Reply
      2. Balmipour

        Indeed, the quotes from both lines with “%03g” turn to “%03g” when copied, which creates errors. (I guess the site’s font makes it transparent)

        Tanks for pointing it out.
        Great fix. as simple as efficient !

        Reply
    2. slinberg

      Excellent, thank you. This worked smoothly for FC10, on a server whose 4.5 year uptime I didn’t want to sacrifice to a rebuild with a more current OS. 🙂

      Reply
    3. Matt

      After updating bash using this procedure, has anyone else had an issue with not being able to log in?

      Reply
    4. Lionel

      Thanks, @Lanidirac! As a user of an Ubuntu version that’s out of distro support, your instructions were very helpful. I’ve fixed some bugs & web-corruption in your instructions, & prettied them up into a script to automate the whole process reliably. Anyone interested can see my G+ post with the details here:
      https://plus.google.com/u/0/+LionelLauer/posts/GWaMcXWwVz1
      And download or view the script here:
      http://www.users.on.net/~nop/bashupdate
      Here’s the script itself (warning – the blog SW will probably mess up the quotes & such – better to download it from the link above) :
      #!/bin/bash
      # bashupdate - Build & update bash 4.3 to fix 'Shellshock' vulnerabilities
      # on systems without distro support. Tested on Ubuntu 3.10
      # Credits: original script by user 'Lanidarc' in a comment on
      # http://www.linuxnews.pro/patch-bash-shell-shock-centos-ubuntu/
      # Heavily modified by Lionel Lauer, 2014/10/3
      #
      # How to test for Shellshock:
      # env x='() { :;}; echo vulnerable' bash -c 'echo hello'
      mkdir src
      cd src
      wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
      # Get all patches, not just the first Shellshock bug fix.
      # Will also try for newer ones, so don't panic at any wget errors after patch #29.
      # Change '40' to '25' if you just want the original fix, or '29' for all the patches
      # that existed when this script was written:
      patches=40
      for i in $(seq -f %03g 1 $patches); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
      tar zxvf bash-4.3.tar.gz
      cd bash-4.3
      # Apply all patches:
      for i in $(seq -f %03g 1 $patches);do patch -p0 < ../bash43-$i; done
      # Build and install:
      ./configure && make && sudo make install
      cd ../..
      # I have other sources I wish to keep, so I'll delete the new stuff by hand.
      # Uncomment the following line to clean up automatically:
      #rm -rf src
      # Don't forget to re-test bash to verify that the bug is now fixed!

      Reply
  7. Pingback: Bash Shellshock Patch | Ingrid Richter

  8. Pingback: How To Check If Your Mac or Linux Machine Is Vulnerable to Shellshock | The New Peoples Almanac

  9. lee

    run this command to find version on Ubuntu:
    dpkg -s bash | grep Version
    Output should be something like this: Version: 4.3-7ubuntu1.1

    Depending on what version Ubuntu you are running then The fixed versions are 4.3-7ubuntu1.1, 4.2-2ubuntu2.2, and 4.1-2ubuntu3.1.

    Reply
  10. Pingback: Check to see if you are vulnerable for Shellshock | Eddinn.net

  11. David

    im getting this on Debian wheezy.
    E: Option -only-update: Configuration item specification must have an =.

    Reply
    1. Rob Post author

      David, are you putting two dashes before the word only?

      –only-update

      Reply
  12. Brandon Zobisch

    Looks like my version of ChromeOS on my TegraK1 is vulnerable… gotta start looking for a patch.

    Reply
  13. David

    After running the above command, I get the same error E: Option -only-upgrade: Configuration item specification must have an =.

    Reply
  14. Pingback: Shellshock Vulnerability | Ameer Assadi | Security Researcher

  15. Rob Rushworth

    Ubuntu 12.04.5… cleanly re-installed a month ago and updated recently, just patched as instructed, and I get >

    Reading state information… Done
    bash is already the newest version.
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

    follow this with a test and I get both replies >

    env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
    vulnerable
    this is a test

    My box is now both secure and vulnerable?

    Reply
  16. Subramanyam

    Hi Rob, after updating bash, i get both Vulnerable and this is test i’m using Ubuntu 13.04 please let me know what should i do.

    Thanks in advance

    Reply
    1. Lionel

      @Subramanyam Ubuntu 13.04 is no longer supported, so automatic updates won’t do anything.
      I’ve posted another comment above with a script that should work with any version of Ubuntu, & has been tested successfully on Ubuntu 13.10.
      Cheers!

      Reply
  17. Pingback: ¿Cómo comprobar si tu Mac o Linux equipo es vulnerable a Shellshock? - Nerdilandia

  18. Pingback: Check if Your System is not Vulnerable to Shellshock - 2-viruses.com

  19. Paul Mortlock

    I tried the above command after trying other commands on other sites and your command said I was vunerable
    Your command line: env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
    This returned vunerable and this is a test.
    My command line from another site: env x='() { :;}; echo vulnerable’ /bin/sh -c “echo this is a test”
    This returned: “this is a test”. I’m not sure if the command line using bash keyword is working properly, or perhaps I’m not supposed to use /bin/sh -s and in that case I’m still vunerable??? anyone confused??

    Reply
  20. Tom

    Hi, After i update, i am also getting both “Vulnerable” and “This is a test” – Could someone please advise. I have done this command “dpkg -s bash | grep Version” and got Version: 4.1-3.

    Please advise, Many Thanks.

    Reply
  21. Pingback: Entenda o perigoso bug Shellshock e aprenda a verificar se você está vulnerável a ele | Like a Nerd

  22. Nik

    Hi,
    I tried to upgrade bash on linux server and this is the o/p it gave –

    yum -y update bash
    updates-newkey | 2.3 kB 00:00
    fedora | 2.1 kB 00:00
    updates | 2.6 kB 00:00
    Setting up Update Process
    No Packages marked for Update

    Also, version of bash remains same before and after installation-
    here is version -bash -version
    GNU bash, version 3.2.33(1)-release (i386-redhat-linux-gnu)

    The output of writing the same code before and after is same –
    vulnerable
    this is a test

    I am confused and new to Linux. Could anybody please provide solution ?

    Reply
  23. Puja

    Hi –

    It looks like I am vulnerable to shellshock. I wanted to run the patch but I’m not sure how to check what I’m running. I have a macbook so i’m not sure what Ubuntu , Fedora, etc is.

    Can you please detail out an explanation of steps to take for mac? Thanks!

    Reply
  24. Jim Fager

    I followed Lanifarc’s instructions and it does indeed patch bash-4.3. It updated the terminal I was working from and the command line: env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
    showed that bash was no longer vulnerable.
    However, env x='() { :;}; echo vulnerable’ /bin/sh -c “echo this is a test” still showed vulnerable.
    # which bash
    showed /usr/local/bin/bash – but /bin/bash was still the old version and that’s what /bin/sh links to. When opening a new terminal, it was still using /bin/bash and vulnerable. I renamed /bin/bash and copied the new bash from /usr/local/bin to /bin. This fixed my system.

    Thanks for the instructions. Much appreciated.

    Reply
    1. Lionel

      That’s a bug in Lanifarc’s instructions. He/she left out the ‘sudo’ required to give the ‘make install’ step permission to copy the fixed version of bash over the bad version. I’ve posted a scripted version on this page which fixes that & the other bugs. Just look for my other comments here. 🙂

      Reply
  25. Mike

    Copy pastes the line into the server. Running Ubunutu 10.04.4

    E: Sense only is not understood, try true or false.

    Reply
    1. Don

      Yeah, same as Mike for me. Ubuntu 10.04, multiple machines. The upgrade command always results in:

      E: Sense only is not understood, try true or false.

      Reply
    2. Manu

      I have the same problem. Anyone knows how to make it in Ubunutu 10.04?

      Thanks in advance

      Reply
      1. Manu

        Ok I fixed it with this:

        sudo apt-get install –reinstall bash

        after

        sudo apt-get update

        Good luck!

        Reply
        1. Wade

          Also, apt is smart enough to simply update if the program is already there…

          ‘sud apt-get install bash’ will also update bash.

          Reply
        2. Barefoot Walker

          When I copied and pasted:
          sudo apt-get install –reinstall bash
          into my terminal and executed it, I got:
          E: Unable to locate package –reinstall
          When I looked more closely, I found that it had substituted a dash (—) for the two hyphens!!
          Make sure that, if it displays a single character in front of the word reinstall, you change it to two hyphens before executing!
          This may work:
          sudo apt-get install –reinstall bash
          if the site does not alter it.
          BTW, I ran the
          dpkg -s bash | grep Version
          I got:
          Version: 4.2+dfsg-1
          and it will not upgrade to anything higher.
          I am running MATE under Mint 16.
          Thanks for the info all!

          Reply
    3. Matthew

      This works on 12.04 sudo apt-get install –only-upgrade bash

      On 10.04 the same error so I instead used “sudo apt-get install bash”. Then I checked if it worked with “env ‘VAR=() { :;}; echo Bash is vulnerable!’ ‘FUNCTION()=() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash Test” ”

      This works.

      Reply
  26. Pingback: High risk Shellshock bug | Upstream

  27. Pingback: Buckeye TelecomHow To Check If Your Mac or Linux Machine Is Vulnerable to Shellshock - Buckeye Telecom

  28. Pingback: How To Check If Your Mac or Linux Machine Is Vulnerable to Shellshock | Three 7 Solutions

  29. Pingback: Could the Shellshock Exploit Destroy Your Website?

  30. Pingback: MUST READ: What You Need to Know About the Shellshock Hack

  31. Agadir VOIture

    This is not a vulnerability. This is a syntactical peculiarity of the bash scripting language. MAYBE it’s a bug. THAT IS ALL. This itself isn’t remotely exploitable unless an attacker already has remote access anyways. So what if an ‘attacker’ can run bash code in an unconventional place? If the ‘attacker’ already has access to a bash prompt, then you’ve got bigger problems. As a security professional, this whole “Shell Shock” thing is a big trolling joke. I’m not sure how this vulnerability alert REALLY started, but my hunch is that whoever did it secretly doesn’t like bash, OS X, Linux, or Unix, and wants to slander those things through fear-mongering.

    Reply
      1. Jp Islander

        Thank you for the link.This very interesting.

        C’est très explicite!

        JP

        Reply
    1. Jp Islander

      Agadir, I think you’re right. All newspapers speak of a flaw in the Linux servers at a time when Microsoft releases Windows 10 What a coincidence!
      Since when these newspapers they publish information on Linux servers? Never!

      And, is that the update is BASH an update that the NSA? And who program the Bash update? Could Linux (bash) experts answer my question. In addition, the servers are equipped with firewall to detect intrusions. So I think we should be careful before making the updates.

      Reply
  32. Pingback: Shellshock Vulnerability | The Double Duece

  33. Pingback: How To Check If Your Mac or Linux Machine Is Vulnerable to Shellshock - SciTechWeb

  34. Pingback: PSA: Patch and Check Your Servers for ShellShock | This Programming Thing

  35. Barefoot Walker

    Okay, the site has an editing feature turned on that changes two consecutive hyphens to a single-character dash (– or —, not sure which) which ruins the command so be sure to look for this when you copy and paste any code from here.
    Again, thanks for posting all this good stuff!

    Reply
  36. Pingback: Expertsourcing® > Shellshock Bash Bug Alert

  37. Pingback: IT Solver services unaffected by Shellshock software bug | IT Solver

  38. Pingback: Tất cả máy Mac và Linux đều có lỗ hổng bảo mật nghiêm trọng ShellShock – Đây là Hướng dẫn khắc phục | Congpro

  39. Pingback: How To Check If Your Mac or Linux Machine Is Vulnerable to Shellshock | Rob's Personal Aggregator

  40. Kelly Carter

    On my Kali Linux machine, I’ve performed all the updates, upgrades, installs, reinstalls as mentioned in this article and the comments. I’ve checked the version of bash: it’s 4.2.37(1). The test script still says I’m vulnerable. Is everyone really convinced that test script works?

    Reply
  41. Pingback: Shellshock, una vulnerabilidad más fácil de explotar que Heartbleed | Itaca Latinoamérica

  42. Pingback: How to patch bash for shell shock in CentOS, Ubuntu, etc.. | PCFlex T.I.

  43. Pingback: : Easy Cloud Solutions

Leave a Reply

Your email address will not be published. Required fields are marked *