I run a few webservers at work that are internal facing only (intranet) that run Debian 6 Squeeze. I’ve been monitoring the Shellshock exploit since it was discovered a few weeks ago and have been looking for a way to get those few systems patched…despite them existing only internally. Patches for Squeeze-lts (long term release) were released quickly and then just a last week, another patch was put into play as well. I decided to go ahead and patch these internal systems and since I couldn’t find much out there for blog posts on how to do it…I decided to share how I did it.
Difference Between Squeeze and Squeeze-lts
The difference between Squeeze general and Squeeze-lts is that the LTS (long term support) repositories will continue to receive backported patches from the current release tree (which is version 7 for Debian). I didn’t originally install/setup these two internal servers so the first thing I have to do is get the version of Debian these servers are running and then check to see if they are using the LTS repositories.
Finding Your Version of Debian
lsb_release -a
This command returns a vanilla squeeze install for me.
Changing Repositories to LTS
Now to see which repositories are enabled.
nano /etc/apt/sources.list
You should open your sources list with your favorite text editor. If you just have vanilla sources like the two servers I have you can just comment out the sources listed there and paste the following:
deb http://http.debian.net/debian/ squeeze main contrib non-free deb-src http://http.debian.net/debian/ squeeze main contrib non-free deb http://security.debian.org/ squeeze/updates main contrib non-free deb-src http://security.debian.org/ squeeze/updates main contrib non-free deb http://http.debian.net/debian squeeze-lts main contrib non-free deb-src http://http.debian.net/debian squeeze-lts main contrib non-free
Now that your sources have changed, update and patch your system:
apt-get update && apt-get upgrade && apt-get dist-upgrade
Checking To See if You still Vulnerable
You can use bash itself to see if you’re vulnerable to the bug. Execute the following command:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
This should return the following if you are patched:
bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' hello
If you’re not patched…the word ‘vulnerable’ will appear in your results.
Further Reading on Shellshock
You can read further about how to switch to LTS repositories here: https://wiki.debian.org/LTS/Using
For more reading on the Shellshock bug, how it is being exploited and the history/timeline, see here: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
Learn basic linux stuff at http://mylinuxtrick.blogspot.in
good.. nice post ..really interesting