The title says it all.
I am still vulnerable (CVE-2014-6271 and possibly CVE-2014-7169) with Ubuntu 14.04.1 and Bash 4.3-7ubuntu1.4
- apt-get update = nothing
- apt-get upgrade = nothing
- apt-get install bind = nothing
Checked this: https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.4 (there are no newer versions)
Ran test:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
Get:
vulnerable
hello
Been at this for a week now!
[Update]
I originally installed bash_4.3.orig.tar.gz from https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.4 which may have been a mistake.
I did this before doing sudo apt-get update && sudo apt-get install bash
would work (I think).
On this page, there are other files, bash_4.3-7ubuntu1.4.debian.tar.gz and bash_4.3-7ubuntu1.4.dsc. I do not know what to do with these. I downloaded bash_4.3-7ubuntu1.4.debian.tar.gz and looked at it, but did not know what to do with it.
I was still vulnerable according to this test: env x='() { :;}; echo vulnerable' bash -c 'echo hello'
I tried as many gyrations of apt-get, dpkg, and installing from bash_4.3.orig.tar.gz as you can imagine. Still fails the test.
I found:
- /usr/local/bin/bash - GNU bash, version 4.3.0(1)-release (i686-pc-linux-gnu)
- /bin/bash - GNU bash, version 4.3.11(1)-release (i686-pc-linux-gnu)
This morning, after going around for days, I finally got desperate and threw a Hail Mary and tried the script from: How do I patch the shellshock vulnerability on an obsolete Ubuntu system that I can't upgrade?
Now I have:
- /bin/bash - GNU bash, version 4.3.27(1)-release (i686-pc-linux-gnu)
Still fails test: env x='() { :;}; echo vulnerable' bash -c 'echo hello'
when I log on. So I sudo /bin/bash
and tried again. Still fails.
So I tried:
sudo apt-get install --only-upgrade bash
and get...
Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0 B/549 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
dpkg: error processing package bash (--configure):
package is in a very bad inconsistent state; you should
reinstall it before attempting configuration
Errors were encountered while processing:
bash
E: Sub-process /usr/bin/dpkg returned an error code (1)
So I tried:
sudo apt-get install bash
and get...
Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0 B/549 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
dpkg: error processing package bash (--configure):
package is in a very bad inconsistent state; you should
reinstall it before attempting configuration
Errors were encountered while processing:
bash
E: Sub-process /usr/bin/dpkg returned an error code (1)
This does not surprise me of course.
Please help.
Can anyone help me force an update of both /bin/bash and /usr/local/bin/bash with a version that works? Can I use the files found on this page https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.4 or can I clean up the GNU install?? As well, can bash be copied from /bin to /usr/local/bin/ (or the other way around) if I can get just one fixed?
I need strong Linux answers and not just the apt-get parrots seen everywhere please. I have read everything or dang-near everything that I can find. If you have a resource, please let me know. You may have had success, but I have had nothing but trouble.
Going into chat is fine.
is a Linux kernel security module that provides the mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).