UPDATE: The updated packages are now available in the official Fedora repositories. View this post for up-to-date details on how to install on your Fedora system.
Updated packages that resolve CVE-2014-6271 and CVE-2014-7169 (collectively known as “Shellshock”) have now been built for Fedora 19, 20 and 21 Alpha. These packages still need to make their way through the package release system and to the mirrors, but they should be available through the regular update channels shortly.
The new updated packages are named:
Fedora 21: bash-4.3.25-2.fc21
Fedora 20: bash-4.2.48-2.fc20
Fedora 19: bash-4.2.48-2.fc19
Additionally, you can download the built packages directly from Koji (the Fedora buildsystem) using:
Fedora 21 Alpha
Run these commands:
su -c "yum -y install koji" # provide root password... koji download-build --arch=$(uname -m) bash-4.3.25-2.fc21 su -c "yum localinstall bash-4.3.25-2.fc21.$(uname -m).rpm" # provide root password again...
Fedora 20
Run these commands:
su -c "yum -y install koji" # provide root password... koji download-build --arch=$(uname -m) bash-4.2.48-2.fc20 su -c "yum localinstall bash-4.2.48-2.fc20.$(uname -m).rpm" # provide root password again...
Fedora 19
Run these commands:
su -c "yum -y install koji" # provide root password... koji download-build --arch=$(uname -m) bash-4.2.48-2.fc19 su -c "yum localinstall bash-4.2.48-2.fc19.$(uname -m).rpm" # provide root password again...
pbrown
I have FC16 and I don’t want to upgrade the entire system just to fix this. Any pointers?
Matthew Miller
Download our F19 update SRPM and see if it’ll rebuild cleanly for you.
Dan Thurman
Where is the link to obtaining “F19 update SRPM”
I plan to obtain the patches there and rebuild F18.
Matthew Miller
You can get it from the normal mirrors, but you could also look in bodhi, our updates system. Go to https://admin.fedoraproject.org/updates/ and search for Fedora, and then trace that back to the build. Note that these won’t be cryptographically signed: for that, you need the official RPMs from a Fedora mirror. (See https://mirrors.fedoraproject.org/.)
Moogue
I was running Fedora16, ran yum to update bash, which corrected the bug. but then I was nolonger able to connect to the ftp server (vsftpd). Neither external nor local connects would go through vsftpd after the bash upgrade. always username/password mismatch.
x
Fedora 12-13-14 doesn’t have support. But CentOS 6.5 is based in F12-13-14 so, install the update of bash from centos repo bash-4.1.2-15.el6_5.2
32 bit: http://mirror.centos.org/centos-6/6.5/updates/i386/Packages/bash-4.1.2-15.el6_5.2.i686.rpm
64 bit: http://mirror.centos.org/centos-6/6.5/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm
rpm -Uvh bash-4.1.2-15.el6_5.2.x86_64.rpm
and done, no more bug.
If the above packages don’t work you can try the packages from a newer CentOS/RHEL
CentOS 7: http://mirror.centos.org/centos-7/7/updates/x86_64/Packages/bash-4.2.45-5.el7_0.4.x86_64.rpm
Try to install the package and see if there are any unsatisfied dependencies and if any install the dependencies as them well by getting the packages from either: http://mirror.centos.org/centos-6/6.5/updates/x86_64/Packages/ or a newer CentOS version http://mirror.centos.org
nomojomo
This helped us immensely. Following the same logic, I went to the CentOS 5 branch for updates compatible with Fedora 9 and 10. Had to do a bit more to make it go… Here’s what worked for us, should it help anyone else.
[root@f10 ~]# x=”() { :;} ; echo $HOSTNAME is vulnerable” /bin/sh -c “echo …shellshock test done.”
f10.workbench is vulnerable
…shellshock test done.
Download and install termcap, if missing, to satisfy dependencies in the CentOS 5 bash:
wget ftp://rpmfind.net/linux/centos/5.10/os/i386/CentOS/termcap-5.5-1.20060701.1.noarch.rpm
32bit:
wget ftp://rpmfind.net/linux/centos/5.10/os/i386/CentOS/libtermcap-2.0.8-46.1.i386.rpm
or 64bit:
wget ftp://rpmfind.net/linux/centos/5.10/os/x86_64/CentOS/libtermcap-2.0.8-46.1.x86_64.rpm
rpm -ivh termcap-5.5-1.20060701.1.noarch.rpm
rpm -ivh libtermcap-2.0.8-46.1.i386.rpm
Download and install patched version of bash for CentOS 5
32bit:
wget http://mirror.centos.org/centos-5/5.10/updates/i386/RPMS/bash-3.2-33.el5_10.4.i386.rpm
64bit:
wget http://mirror.centos.org/centos-5/5.10/updates/x86_64/RPMS/bash-3.2-33.el5_10.4.x86_64.rpm
rpm –oldpackage –force -Uvh bash-3.2-33.el5_10.4.i386.rpm
[root@f10 ~]# x=”() { :;} ; echo $HOSTNAME is vulnerable” /bin/sh -c “echo …shellshock test done.”
…shellshock test done.
Dan Thurman
What about Fedora 8? Pretty please?
Matthew Miller
The instructions here should help you build an update for pretty much any out-of-maintenance Fedora version. But I really do encourage you to update to a newer release — our latest Fedora versions are awesome.
billB
Note that on FC14 my installed Bash (which was vulnerable) was 4.1.7-4. Forcing installation of the lower-version-numbered CentOS file you suggest did fix the vulnerability, but I had to use –force to get it to replace the “newer” FC14 bash version.
And a “yum update bash” of course reinstalled the vulnerable FC14 bash (as would a general “yum update”) 🙁
Steve Jenkins
I did a write up on my blog of a very easy method for patching and compiling Bash on older Fedora-based systems (and I included a script for automatically downloading all the patches and applying them to the source code). One user using Fedora 9 commented that it worked for him (holy Shrike!).
So if you’re a procrastinator when it comes to Fedora upgrades, or you’ve got a Fedora 16 or RHEL 3 box that simply can’t be upgraded for some reason… my steps will get you patched up in minutes.
http://stevejenkins.com/blog/2014/09/how-to-manually-update-bash-to-patch-shellshock-bug-on-older-fedora-based-systems/
Hope it’s helpful to someone!
cmillard
Thanks Steve! Second time you’ve been a great help. First was the Dell 5324 config write-up you shared a while ago. Thanks for sharing this too!
Julio Mondragón
We have an isolated environment running several servers and some of them have installed old versions of fedora ( core 5 to core 13 ). Is it possible to fix this issue without upgrade the entire OS?.
IT Guy
I Updated my Version of Fedora 20 to version 4.2.48(1) -release
I got this info when I typed bash –version
Do I require a system reboot for the change to take effect,
Because when I do the shellshock test env x='() { :;}; echo vulnerable’ bash -c “echo this is a test” it still shows as vulnerable
Steve Cook
You can try the instructions at: http://stevejenkins.com/blog/2014/09/how-to-manually-update-bash-to-patch-shellshock-bug-on-older-fedora-based-systems/ to rebuild bash with newest patches.
SAM
I am running Fedora Core 3, which patch will compile and work for me?
Matthew Miller
Woah. That is so old that this exploit is probably the least of your problems. There are many other known ways to compromise such a system. I highly, highly recommend updating to one of our newer releases (f20, or even the new f21 alpha). Or, if you really need to leave your system untouched for such a long time, I recommend RHEL or CentOS.
Joe
I was going to ask the same question about FC1. God forgive me for still having a distro with FC1 on it.
Matthew Miller
That might be beyond forgiveness, but I’m certainly impressed!
Jim
I’m running Fedora 17 and upgrading the OS is not an option for me to patch the vulnerability. Is there an upgrade path for this OS? I’ve seen options for FC12-14. Is there a similar option for FC17?
Jim Jagielski
Fedora 17 uses the 4.2 rev of Bash, just as EL7 does, so you could always grab the source RPM (http://vault.centos.org/7.0.1406/updates/Source/SPackages/) and use rpmbuild to build it.
lorenzo
get the latest fedora 20 srpm for bash (the most easy way, is to get a fedora 20 system and then type on that workstation “yumdownloader –source bash” ), don’t know the exact url, i made it on my workstation f20 workstation
then pushed the src.rpm to the f17 system, then installed that src.rpm with “rpm -ivh” on the f17 and then in the rpmbuild/SPEC folder
ran rpmbuild -bb bash.spec 😀
after a few minutes, it will produce you a fresh new bash rpm, from the sources which fixed the vulnerabilities
go to the dir, “yum update bash*” and you are done 😀
(works like charm, however you may need to install some dependencies – i had to install texinfo package for the build process, but rpmbuild will notice you)
Jan Slupski
The method that worked for me on Fedora 17 & Fedora 11: http://juljas.net/lpt/post/fedora-17-shellshock-fix
Dan Thurman
I tried your method for F18
BTW: I went to your site tried to leave you a message, but your CAPTCHA does not work, so I posted the message here instead.
At your site, you have stated that one needs to change the patchlevel at the bottom of the page for bash42-048 but you said nothing about changing the patchlevel for bash42-049. So, do I leave bash42-049 as it is?
I can see that patch for bash42-048 works, but fails bash42-049, so I tried again without the bash42-049 patch and it created the RPM files, ran it, and tested it (no longer vulnerable) What am I missing with bash42-049?
Dan Thurman
Ah, sorry! Your site was updated and I used the old version!
I will try your new instructions!
Dan Thurman
Patch bash42-049 fails to patch on F18:
Patch #49 (bash42-049):
+ /usr/bin/cat /home/dant/rpmbuild/SOURCES/bash42-049
+ /usr/bin/patch -p0 -b –suffix .049 –fuzz=0
patching file parse.y
Hunk #2 FAILED at 8379.
1 out of 2 hunks FAILED — saving rejects to file parse.y.rej
patching file patchlevel.h
error: Bad exit status from /var/tmp/rpm-tmp.VkCUWd (%prep)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.VkCUWd (%prep)
andrej
fedora17-64 here.
Installed bash built from http://vault.centos.org/7.0.1406/updates/Source/SPackages/bash-4.2.45-5.el7_0.4.src.rpm and all tests passed fine.
Matthew Miller
I approved this comment but edited it to remove a link to a binary. I appreciate your desire to share and help, but people shouldn’t get in the habit of installing binaries posted to blog comments. Otherwise, we’ll soon have a plague of malware that makes this all look quite tame.
John Vincent
You can recompile “bash” from source if you can’t find a precompiled version.
Log in as root, then run the following commands:
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
for i in $(seq -f “%03g” 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
for i in $(seq -f “%03g” 0 25); do patch -p0 < ../bash43-$i; done
./configure
make
make install
The first line creates a directory called “src” and the next line makes that the current directory.
Then you run the “wget” command to get the “bash” source code.
Then you run a “for” loop to get each patch to the source code to bring it up to date, this includes the patch to fix the “shellshock” bug.
Then you run the “tar” command to extract the “bash” source code into a directory called “bash-4.3”, and then the next line makes that your current directory.
Then you run a “for” loop to apply each patch to the source code.
Then you run the “./configure” command to prepare the source code for compiling on your machine.
The you run the “make” command to compile the source code.
Finally you run “make install” to install your new version of bash.
I hope this helps…
pbrown
Worked like a champ. Thanks!
Paul
This was very helpful. Thankyou so much , John.
Bon
there has no http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-000
also, the last one should be 026
but even with the 026 patch, that does not fix the issue
🙁
FGM
Thank you for the instructions. However you have a syntax error in a couple of lines:
for i in $(seq -f “%03g” 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
for i in $(seq -f “%03g” 0 25); do patch -p0 < ../bash43-$i; done
The correct syntax is:
for i in $(seq -f “%03g” 0 25);do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
for i in $(seq -f “%03g” 0 25);do patch -p0 < ../bash43-$i; done
You had a space between the ; and do
Kimmo
I tried to recompile from source for an FC16 system. Compiled nicely, but ‘make tests’ failed. So still working on this…
Vijay B
Is there a patch for Feroda 7 ?
Ryan Lerch
HI Vijay,
Fedora 7 has officially been declared “End of Life” — so there has been no updates for it since 2008. So there won’t be an updated package for Fedora 7. It is reccomended that you migrate to a supported version of Fedora (Fedora 19 or Fedora 20).
See the following wikipages for more information:
https://fedoraproject.org/wiki/End_of_life
https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle#End_of_Life_.28EOL.29
Agadir VOIture
This is not a vulnerability. This is a syntactical peculiarity of the bash scripting language. MAYBE it’s a bug. THAT IS ALL. This itself isn’t remotely exploitable unless an attacker already has remote access anyways. So what if an ‘attacker’ can run bash code in an unconventional place? If the ‘attacker’ already has access to a bash prompt, then you’ve got bigger problems. As a security professional, this whole “Shell Shock” thing is a big trolling joke. I’m not sure how this vulnerability alert REALLY started, but my hunch is that whoever did it secretly doesn’t like bash, OS X, Linux, or Unix, and wants to slander those things through fear-mongering.
Matthew Miller
Agadir, check out the Red Hat security blog for some more background. The vulnerability is that code was executed in a place where it was only expected to be loaded — and that includes in places where environment variables can be set from the network.
As explained in my post on how this works, our fix both closes the bug which allows unexpected execution and changes it so arbitrary variables aren’t scanned, closing down the whole possibility for most exploits (like setting TERM or USER_AGENT).
James Babcock
This incident has called my attention to how short Fedora’s support period is (the oldest supported version is 1 year, 3 months), and simultaneously put me into contact with a really broken update procedure (starting from FC14). After installing an update out-of-band as a stopgap, my plan is to rebuild the server with another distro and never touch Fedora again.
Paul W. Frields
If you’re looking for a long term system, you probably want CentOS. Fedora is made to give you the latest software in an easily consumable form. The tradeoff is shorter maintenance cycles. With something like CentOS you will give up using a lot of the latest software. Sorry you didn’t have clear information about what Fedora is for. This FAQ might be helpful for you and others.
Takeshi
I am using Fedora 11. Anyone tested the patch and checked that everything works fine after patching?
ayaz
any one can tell me how to make it and use shellshock bcz i dn’t have any idea
thanx in advance
Paul W. Frields
You’re not trying to use shellshock — it’s a vulnerability, not a program. Patch your system using the update instructions described above.