Bash An arbitrary code run vulnerability exists in the environment variable: "A CGI request can cause remote code to run, causing the server to be compromised." Serious harm . and the official release patch was also bypassed " ,
"Vulnerability Impact":
1) Bash affected version number: 3.0 ~ 4.3, the bash version number less than 3.0 may also be affected.
2) Intrusion mode: The combination of CGI mode can cause remote code to run, intrusion server.
Understanding the system's current bash version number
[[email protected] ~]#/BIN/BASH-VERSIONGNU Bash, version 4.1.2 (1)-release (X86_64-REDHAT-LINUX-GNU) Copyright (C) Ree software Foundation, inc.license gplv3+: GNU GPL version 3 or later
bash:http://ftp.gnu.org/gnu/bash/
Install Upgrade Bash
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gztar zxvf bash-4.3.tar.gzcd bash-4.3./configuremakemake Install
Since bash is installed under the/usr/local/bin/folder by default, it is necessary to create a link to the/bin/folder, which requires a reboot after the installation is complete!
Mv/bin/bash/bin/bash.bak; Ln-s/usr/local/bin/bash/bin/bash
[[email protected] ~]#/BIN/BASH-VERSIONGNU Bash, version 4.3.0 (1)-release (X86_64-UNKNOWN-LINUX-GNU) Copyright (C) 2011 Free software Foundation, inc.license gplv3+: GNU GPL version 3 or later
Linux bash critical bug fix Emergency notification (updated September 25, 2014)
A serious security vulnerability was discovered recently in Linux's official built-in bash. Hackers can take advantage of this bash vulnerability to completely control the target system and launch an attack, in order to avoid your linuxserver being affected. We recommend that you complete the bug fix as soon as possible. Repair methods such as the following:
Vulnerability Detection method
You can use the following command to check the system for this vulnerability:
Env-i x= ' () {(a) =>\ ' bash-c ' echo date '; Cat Echo
Pre-Repair output: current system time
After repairing with the patching scheme
Date
Special NOTE: This fix will not have any effect, assuming that your script uses the above method to define environment variables, after the repair your script run will error.
The date string included in the output results in the repair success.
Patching Scenarios
Centos:
Yum clean allyum makecacheyum-y Update bash
Ubuntu:
Apt-cache gencachesapt-get-y Install--only-upgrade bash
Debian 7.5 64bit && 32bit:
Apt-cache gencachesapt-get-y Install--only-upgrade bash
Debian 6.0.x 64bit
wget http://mirrors.aliyun.com/debian/pool/main/b/bash/bash_4.1-3+deb6u2_amd64.deb && dpkg-i bash_ 4.1-3+deb6u2_amd64.deb
Debian 6.0.x 32bit
wget http://mirrors.aliyun.com/debian/pool/main/b/bash/bash_4.1-3+deb6u2_i386.deb && dpkg-i bash_ 4.1-3+deb6u2_i386.deb
openSUSE
Aliyun Linux:
5.x 64bit wget http://mirrors.aliyun.com/centos/5/updates/x86_64/RPMS/bash-3.2-33.el5.1.x86_64.rpm && rpm- UVH bash-3.2-33.el5.1.x86_64.rpm5.x 32bit wget http://mirrors.aliyun.com/centos/5/updates/i386/RPMS/ bash-3.2-33.el5.1.i386.rpm && RPM-UVH bash-3.2-33.el5.1.i386.rpm
Shell upgrade,/bin/bash version number 4.1 to 4.3