Vulnerability background
A very serious security vulnerability (vulnerability reference https://access.redhat.com/security/cve/CVE-2014-6271) has been found in the Linux official built-in bash. Hackers can exploit this bash vulnerability to fully control the target system and launch an attack, in order to prevent your Linux server from being affected, based on the Linux official solution given on September 25.
Special reminder: Linux official has given the latest solution, has resolved the bypassed bugs, we recommend that you complete the bug patch as soon as possible.
Software and systems that have been identified for successful use
All Linux operating systems that install the GNU Bash version less than or equal to 4.3.
The affected systems include:
CentOS, Debian, Redhat, Ubuntu
Vulnerability description
The flaw stems from the special environment variables that you created before the bash shell you called, which can contain code and be executed by bash.
Vulnerability Detection method
Vulnerability Detection command: Env-i x= ' () {(a) =>\ ' bash-c ' echo date '; Cat Echo
Before fixing
Output: Current system time
After you repair with a patch
Output: Date
(Note: The word "date" is seen in the output and the repair succeeds.) )
Special NOTE: This fix will not have any impact, if your script uses the above way to define environment variables, your script execution will be an error after repair.
Recommended Patching Scenarios
CentOS: (Final Solution)
Yum Clean All
Yum Makecache
YUM-Y Update Bash
If you report the following error when executing the above command
Error:cannot retrieve Metalink for Repository:epel. Please verify its path and try again
Solution: The processing is very simple, modify the file "/etc/yum.repos.d/epel.repo", the BaseURL annotation cancellation, mirrorlist comment out, you can
Ubuntu: (Final Solution)
Apt-get Update
Apt-get-y Install–only-upgrade Bash
Debian: (Final Solution)
7.5 64bit && 32bit
Apt-get Update
Apt-get-y Install–only-upgrade Bash
6.0.x 64bit
wget http://mirrors.aliyun.com/debian/pool/main/b/bash/bash_4.1-3+deb6u2_amd64.deb && dpkg-i bash_4.1-3+ Deb6u2_amd64.deb
6.0.x 32bit
wget http://mirrors.aliyun.com/debian/pool/main/b/bash/bash_4.1-3+deb6u2_i386.deb && dpkg-i bash_4.1-3+ Deb6u2_i386.deb
Aliyun Linux: (Final Solution)
5.x 64bit
wget http://mirrors.aliyun.com/centos/5/updates/x86_64/RPMS/bash-3.2-33.el5_11.4.x86_64.rpm
5.x 32bit
wget http://mirrors.aliyun.com/centos/5/updates/i386/RPMS/bash-3.2-33.el5_11.4.i386.rpm && RPM-UVH bash-3.2-33.el5_11.4.i386.rpm
openSUSE: (Final Solution)
Zypper Clean
Zypper Refresh
Zypper update-y Bash