0

I updated bash as soon as both patches were available, and using the test script at https://shellshocker.net, I am showing fixed on all vulnerabilities except for segfault.

OS: 

cat /etc/*release*
CentOS release 6.5 (Final)

Installed bash version: 

yum info bash
Name        : bash
Arch        : x86_64
Version     : 4.1.2
Release     : 15.el6_5.2

Here's the segfault portion of the test script: 

# CVE-2014-6277
CVE20146277=$((bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable) | grep 'vulnerable' | wc -l)

echo -n "CVE-2014-6277 (segfault): "
if [ $CVE20146277 -gt 0 ]; then
        echo -e "\033[91mVULNERABLE\033[39m"
        EXITCODE=$((EXITCODE+2))
else
        echo -e "\033[92mnot vulnerable\033[39m"
fi

I'm not showing any more updates to bash in the repositories (I've actually checked twice a day since last week).

Is there another way of patching the segfault vulnerability (without building from source)?

a coder
  • 719
  • 4
  • 20
  • 37

1 Answers1

0

We're waiting on upstream to release fixes that address the original (and subsequent) CVEs. We're all in the same boat here. The segmentation fault will only affect the bash session, not the rest of your sever.

Please stick to using 'yum update'. Do re-boot if you can every so often (once a month).

I strongly recommend that you do not download source and build your own bash, or go searching for third party updates. There's a fair bit of FUD that is fairly unhelpful to most sysadmins.

Just keep checking for updates via yum and as the devs at Red Hat sort these other CVEs out the patches will filter through promptly. You're welcome to subscribe to the centos-devel mailing list if you want to be kept in the loop.

Bert GT
  • 11
  • 1
  • Preaching to the choir. Building packages from source is a solution of last resort since we lose the ability to have future security patches easily applied. Will wait on an official solution. – a coder Oct 07 '14 at 17:08