Shellshock update: bash packages that resolve CVE-2014-6271 and CVE-2014-7169 available

UPDATE: The updated packages are now available in the official Fedora repositories. View this post for up-to-date details on how to install on your Fedora system.

Updated packages that resolve CVE-2014-6271 and CVE-2014-7169 (collectively known as “Shellshock”) have now been built for Fedora 19, 20 and 21 Alpha. These packages still need to make their way through the package release system and to the mirrors, but they should be available through the regular update channels shortly.

The new updated packages are named:

Fedora 21: bash-4.3.25-2.fc21
Fedora 20: bash-4.2.48-2.fc20
Fedora 19: bash-4.2.48-2.fc19

Additionally, you can download the built packages directly from Koji (the Fedora buildsystem) using:

Fedora 21 Alpha

Run these commands:

su -c "yum -y install koji"   # provide root password...
koji download-build --arch=$(uname -m) bash-4.3.25-2.fc21
su -c "yum localinstall bash-4.3.25-2.fc21.$(uname -m).rpm"   # provide root password again...

Fedora 20

Run these commands:

su -c "yum -y install koji"   # provide root password...
koji download-build --arch=$(uname -m) bash-4.2.48-2.fc20
su -c "yum localinstall bash-4.2.48-2.fc20.$(uname -m).rpm" # provide root password again...

Fedora 19

Run these commands:

su -c "yum -y install koji"   # provide root password...
koji download-build --arch=$(uname -m) bash-4.2.48-2.fc19
su -c "yum localinstall bash-4.2.48-2.fc19.$(uname -m).rpm"   # provide root password again...
Shell based off "Shell" - CC-BY 3.0 by Guillaume Kurkdjian -- http://thenounproject.com/term/shell/40512/

Shell based off “Shell” – CC-BY 3.0 by Guillaume Kurkdjian — http://thenounproject.com/term/shell/40512/

Fedora Project community

43 Comments

  1. I have FC16 and I don’t want to upgrade the entire system just to fix this. Any pointers?

  2. Julio Mondragón

    We have an isolated environment running several servers and some of them have installed old versions of fedora ( core 5 to core 13 ). Is it possible to fix this issue without upgrade the entire OS?.

  3. SAM

    I am running Fedora Core 3, which patch will compile and work for me?

    • Woah. That is so old that this exploit is probably the least of your problems. There are many other known ways to compromise such a system. I highly, highly recommend updating to one of our newer releases (f20, or even the new f21 alpha). Or, if you really need to leave your system untouched for such a long time, I recommend RHEL or CentOS.

  4. Jim

    I’m running Fedora 17 and upgrading the OS is not an option for me to patch the vulnerability. Is there an upgrade path for this OS? I’ve seen options for FC12-14. Is there a similar option for FC17?

    • Jim Jagielski

      Fedora 17 uses the 4.2 rev of Bash, just as EL7 does, so you could always grab the source RPM (http://vault.centos.org/7.0.1406/updates/Source/SPackages/) and use rpmbuild to build it.

    • lorenzo

      get the latest fedora 20 srpm for bash (the most easy way, is to get a fedora 20 system and then type on that workstation “yumdownloader –source bash” ), don’t know the exact url, i made it on my workstation f20 workstation

      then pushed the src.rpm to the f17 system, then installed that src.rpm with “rpm -ivh” on the f17 and then in the rpmbuild/SPEC folder
      ran rpmbuild -bb bash.spec 😀

      after a few minutes, it will produce you a fresh new bash rpm, from the sources which fixed the vulnerabilities
      go to the dir, “yum update bash*” and you are done 😀

      (works like charm, however you may need to install some dependencies – i had to install texinfo package for the build process, but rpmbuild will notice you)

    • The method that worked for me on Fedora 17 & Fedora 11: http://juljas.net/lpt/post/fedora-17-shellshock-fix

      • Dan Thurman

        I tried your method for F18

        BTW: I went to your site tried to leave you a message, but your CAPTCHA does not work, so I posted the message here instead.

        At your site, you have stated that one needs to change the patchlevel at the bottom of the page for bash42-048 but you said nothing about changing the patchlevel for bash42-049. So, do I leave bash42-049 as it is?

        I can see that patch for bash42-048 works, but fails bash42-049, so I tried again without the bash42-049 patch and it created the RPM files, ran it, and tested it (no longer vulnerable) What am I missing with bash42-049?

        • Dan Thurman

          Ah, sorry! Your site was updated and I used the old version!
          I will try your new instructions!

          • Dan Thurman

            Patch bash42-049 fails to patch on F18:

            Patch #49 (bash42-049):
            + /usr/bin/cat /home/dant/rpmbuild/SOURCES/bash42-049
            + /usr/bin/patch -p0 -b –suffix .049 –fuzz=0
            patching file parse.y
            Hunk #2 FAILED at 8379.
            1 out of 2 hunks FAILED — saving rejects to file parse.y.rej
            patching file patchlevel.h
            error: Bad exit status from /var/tmp/rpm-tmp.VkCUWd (%prep)

            RPM build errors:
            Bad exit status from /var/tmp/rpm-tmp.VkCUWd (%prep)

    • andrej

      fedora17-64 here.
      Installed bash built from http://vault.centos.org/7.0.1406/updates/Source/SPackages/bash-4.2.45-5.el7_0.4.src.rpm and all tests passed fine.

      • I approved this comment but edited it to remove a link to a binary. I appreciate your desire to share and help, but people shouldn’t get in the habit of installing binaries posted to blog comments. Otherwise, we’ll soon have a plague of malware that makes this all look quite tame.

  5. John Vincent

    You can recompile “bash” from source if you can’t find a precompiled version.

    Log in as root, then run the following commands:

    mkdir src
    cd src
    wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
    for i in $(seq -f “%03g” 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
    tar zxvf bash-4.3.tar.gz
    cd bash-4.3
    for i in $(seq -f “%03g” 0 25); do patch -p0 < ../bash43-$i; done
    ./configure
    make
    make install

    The first line creates a directory called “src” and the next line makes that the current directory.
    Then you run the “wget” command to get the “bash” source code.
    Then you run a “for” loop to get each patch to the source code to bring it up to date, this includes the patch to fix the “shellshock” bug.
    Then you run the “tar” command to extract the “bash” source code into a directory called “bash-4.3”, and then the next line makes that your current directory.
    Then you run a “for” loop to apply each patch to the source code.
    Then you run the “./configure” command to prepare the source code for compiling on your machine.
    The you run the “make” command to compile the source code.
    Finally you run “make install” to install your new version of bash.

    I hope this helps…

  6. Kimmo

    I tried to recompile from source for an FC16 system. Compiled nicely, but ‘make tests’ failed. So still working on this…

  7. Vijay B

    Is there a patch for Feroda 7 ?

  8. This is not a vulnerability. This is a syntactical peculiarity of the bash scripting language. MAYBE it’s a bug. THAT IS ALL. This itself isn’t remotely exploitable unless an attacker already has remote access anyways. So what if an ‘attacker’ can run bash code in an unconventional place? If the ‘attacker’ already has access to a bash prompt, then you’ve got bigger problems. As a security professional, this whole “Shell Shock” thing is a big trolling joke. I’m not sure how this vulnerability alert REALLY started, but my hunch is that whoever did it secretly doesn’t like bash, OS X, Linux, or Unix, and wants to slander those things through fear-mongering.

    • Agadir, check out the Red Hat security blog for some more background. The vulnerability is that code was executed in a place where it was only expected to be loaded — and that includes in places where environment variables can be set from the network.

      As explained in my post on how this works, our fix both closes the bug which allows unexpected execution and changes it so arbitrary variables aren’t scanned, closing down the whole possibility for most exploits (like setting TERM or USER_AGENT).

  9. James Babcock

    This incident has called my attention to how short Fedora’s support period is (the oldest supported version is 1 year, 3 months), and simultaneously put me into contact with a really broken update procedure (starting from FC14). After installing an update out-of-band as a stopgap, my plan is to rebuild the server with another distro and never touch Fedora again.

    • If you’re looking for a long term system, you probably want CentOS. Fedora is made to give you the latest software in an easily consumable form. The tradeoff is shorter maintenance cycles. With something like CentOS you will give up using a lot of the latest software. Sorry you didn’t have clear information about what Fedora is for. This FAQ might be helpful for you and others.

  10. Takeshi

    I am using Fedora 11. Anyone tested the patch and checked that everything works fine after patching?

  11. ayaz

    any one can tell me how to make it and use shellshock bcz i dn’t have any idea
    thanx in advance

    • You’re not trying to use shellshock — it’s a vulnerability, not a program. Patch your system using the update instructions described above.

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions