3

I'm trying to update a CentOS 5 system in order to patch the bash vulnerability described in CVE-2014-6271 / RHSA-2014:1293-1, but am running into an issue.

After seemingly-successfully updating bash via yum update bash and restarting the server, yum list bash lists the installed version as patched (3.2.33.e15.1) but /bin/bash --version is displaying 3.2.25(1)-release.

By all accounts (via rpm -ql bash), the binary location is correct and find / -name bash only returns that one location.

Any thoughts as to why the version discrepancy might be occuring?

Richard Szalay
  • 306
  • 3
  • 11
  • $ rpm -q --changelog bash |more * Mon Sep 15 2014 Ondrej Oprala - 3.2-33.1 - Check for fishy environment Resolves: #1141644 – cjc Sep 25 '14 at 16:07

2 Answers2

3

It turns out that, despite the version discrepancy, the update was successful. Running the sample input succeeds where it did not before:

user [~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Richard Szalay
  • 306
  • 3
  • 11
3

At Red Hat they usually patch older versions instead of directly updating to the newest ones so as not to break any systems. Since this is just a vulnerability patch it ensures that the binary and the whole package remains backwards compatible.

You can use rpm to inspect the changelog for the package. This way you can always verify if you're using the newest backported version.

# rpm -q --changelog <the rpm package that just got installed>

Toshe
  • 131
  • 1