Danstl's picture

What is the best way to handle this?




Jeremy Davis's picture

The bash page on the Debian security tracker shows that the Shellshock vulnerability (IIRC Shellshock was covered in CVE-2014-6277, CVE-2014-6278 and CVE-2014-7169) has been patched in bash 4.1-3+deb6u2 (Squeeze LTS).

FWIW you will note that there is a current open vulnerability (CVE-2012-3410) in the Squeeze LTS (i.e. TKL v12.x) version of bash (fixed in Wheezy/TKL v13.x). However it is noted as minor and can apparently only be exploited locally...

Jeremy Davis's picture

As the security fixed version should have been applied by TKL's auto security updates you should be good to go. To double check jlain's advice above also applies to Wheezy based appliances (i.e. TKL v13.x):

dpkg -s bash | grep Version

In v13.x/Wheezy appliances the vulnerable version is 4.2+dfsg-0.1

If you have 4.2+dfsg-0.1+deb7u1 or newer then you are good. (FWIW I have 4.2+dfsg-0.1+deb7u3 on my TKL v13.1 systems).

See also https://security-tracker.debian.org/tracker/CVE-2014-6271

Danstl's picture

Yeah, it looks like we are also good to go here - thanks auto magic update :)

Jeremy Davis's picture

Whilst 4.2+dfsg-0.1+deb7u1 does address CVE-2014-6271; the shellshock vulnerability (as it is now being called) is actually covered by 3 CVEs: CVE-2014-7169, CVE-2014-7186 & CVE-2014-7187 (see https://security-tracker.debian.org/tracker/DSA-3035-1) so to be completely safe you need to have 4.2+dfsg-0.1+deb7u3 (or newer) installed.

As I posted above, all TKL v13.1 users should be safe (due to auto security updates) but always good practice to double check! :)

Russell Alphey's picture

I have the version mentioned, but the bug is still there, at least according to this test -

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


If it returns the text “this is a test,” your system is vulnerable.





Jeremy Davis's picture

My understanding is that if the response includes the word "vulnerable" then you are vulnerable, otherwise not (i.e. if it just says "this is a test" then you are NOT vulnerable).

Have a look on ServerFault where the same test as you mention is listed (2nd line of top answer) and it states: "it should NOT echo back the word vulnerable."

Note too that that test only checks for one of the (3) vulnerabilities that are included under the moniker "shellshock".

I don't mean to shut you down. Please feel free to demonstrate that I am wrong! :)

Jeremy Davis's picture

Please read my post above.

Unless the response you get includes the word "vulnerable" (which yours doesn't) then you are NOT vulnerable to that part of the shellshock bug (but there are 2 other parts to it...!)

Jeremy Davis's picture

jlad provides some useful links in a post above. The first link (to a TurnKey blog post) gives you a couple of upgrade (to v13.x) possibilities too if you want...

Jeremy Davis's picture

As you may or may not be aware, v11.x was based on Ubuntu (rather than Debian - since v12.0) and Ubuntu do things a little differently to Debian.

From what I can gather from a quick bit of research is that Ubuntu 10.04 (which v11.x was based on) is still supported with security patches (at least the 'main' server repo anyway...) and as TurnKey has had auto-security updates I would assume that it would have been auto patched.

However, I can't find info about what version you need to have to be assured that the bug is patched. So sorry I can't help there. The following should make sure that you have the latest Ubuntu Lucid version of bash:

apt-get update && apt-get install --reinstall bash

Regardless it may be worth planning your migration to a newer version of TurnKey as Ubuntu 10.04 support will finish April next year. So there is no rush yet, but probably good to start planning - especially if you have php code that may need updating for a newer version of php.

Add new comment