[OT Security PSA] Shellshock: Update your bash, now!

Nick Sabalausky via Digitalmars-d-announce digitalmars-d-announce at puremagic.com
Tue Sep 30 22:09:44 PDT 2014 

Don't mean to be alarmist, but I'm posting this in case anyone else is 
like me and hasn't been paying attention since this news broke (AIUI) 
about a week ago.

Apparently bash has it's own "heartbleed" now, dubbed "shellshock". Warm 
fuzzy flashbacks of "TMNT: The Arcade Game" aside, this appears to be 
pretty nasty *and* it affects pretty much every version of bash ever 
released. And of course bash exists on practically everything, 
so...pretty big deal. Security sites, blogs-o'-spheres, cloudosphere, 
etc are all over this one. (Don't know how I managed to miss it until now.)

Patches have been issued (and likely more to come from what I gather), so:

Go update bash on all your computers and server, NOW. No, don't hit 
reply, do it now. Personally, I'd keep updating fairly frequently until 
the whole matter settles down a bit.

Since the security folks have been jumping at this, getting a fixed bash 
should be trivial. Debian already has patched versions in its repos 
(even for Debian 6 if you're using the LTS repo). Other distros likely 
have patched versions now too. So you have no excuse!

More info:
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-vulnerability
https://startpage.com/do/search?query=bash+shellshock

--------------------
HOW TO CHECK/UPDATE:
--------------------

Test for vulnerability like this (supposed to be one line):
$ env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; 
echo Bash is vulnerable!' bash -c "echo Bash Test"

Update to a fixed bash:

Debian Testing (and probably Deb 7, though I don't have an installation 
of 7 to confirm):
$ sudo apt-get update && sudo apt-get install bash

Debian 6: (Including setting up the LTS repos):
$ sudo cat 'deb http://http.debian.net/debian squeeze-lts main contrib 
non-free' >> /etc/apt/sources.list
$ sudo cat 'deb-src http://http.debian.net/debian squeeze-lts main 
contrib non-free' >> /etc/apt/sources.list
$ sudo apt-get update && sudo apt-get install bash

Other OSes/distros are likely equally easy. Please, reply with examples 
to help ensure other people on the same OS/distro as you have no excuse 
not to update!

More information about the Digitalmars-d-announce mailing list