The updated Bash packages for Fedora 19, 20 and 21 Alpha are now available in the official Fedora repositories. These updated packages provide fixes that resolve CVE-2014-6271 and CVE-2014-7169 (the issue that has been labeled “Shellshock”)
To get these updated packages, either update using the Software application, or run the following command in the terminal to download and install all the updates for your system:
sudo yum update
At the time of writing, the most up-to-date versions of Bash that resolve the CVEs are:
Fedora 21: bash-4.3.25-2.fc21 Fedora 20: bash-4.2.48-2.fc20 Fedora 19: bash-4.2.48-2.fc19
To err on the side of caution, if you previously installed one of these builds from Koji (the Fedora Buildsystem) as per these instructions, it would be prudent to reinstall the package from the official Fedora repositories to ensure that you are running a signed version of the updated Bash package. To reinstall Bash for your system, use the command:
sudo yum reinstall bash
It is also important to note that older versions of Fedora (Fedora 18 or older) are currently deemed unsupported (“End of Life”), so no updated versions of Bash will be released for these via the official Fedora repositories. It is recommended that you migrate or upgrade your system to a version of Fedora that is supported (i.e. Fedora 19 or Fedora 20).
Vivek
Hi All,
Any idea when the fix for fedora 16 is coming?
Thanks
Vivek
Matthew Miller
Vivek, please see https://fedoraproject.org/wiki/End_of_life — we have limited resources and concentrate them on our current releases. You can rebuild bash yourself, or (my recommendation!) upgrade to Fedora 20.
Henry Grebler
Hi Vivek,
I run fedora 16 and fedora 18 and I can’t see myself finding the
several hours to upgrade any time soon. Here’s a couple of convenient
if unorthodox solutions for those of us with older fedoras. YMMV.
Cheers, henry
I got the fixed bash for fedora 19 following instructions in this article:
https://fedoramag.wpengine.com/shellshock-update-bash-packages-that-resolve-cve-2014-6271-and-cve-2014-7169-available/
(In the comments, there are suggestions mentioning CenotOS that are
worth considering.)
You’ll end up with bash-4.2.48-2.fc19.i686.rpm in /tmp (or somewhere convenient).
I tried to install it but when I tested it I got:
error: Failed dependencies:
filesystem \’ bash -c “echo date”; \
cat /tmp/echo)
date
cat: /tmp/echo: No such file or directory
If you’re not completely certain, go back to the first session and
undo the mod:
Check your work and start again.
This worked for me for fedora 16 and fedora 18 running on different VMs
on different host machines.
John Dorflinger
Thank you for the clarity and easy fix.
Soren
Why is Fedora using Bash as the system shell? Debian seems to go with Dash based on the idea that the simplest possible system shell is the most secure one (kinda makes sense).
Mark Mays
For Fedora 20, no update is appearing in my repo and my bash version is still 4.2.47. Any ideas on why the update isn’t appearing?
Ryan Lerch
Hi Mark,
This could be a few things. It might be that your yum cache is old and it is not finding the new packages. You could try cleaning out the yum cache with:
then trying to update bash with
Or it could be that you have the fastestmirror plugin installed, and it is finding a mirror that has old packages. You could try the following command to disable the plugin and try to install bash:
sudo yum –disableplugin=fastestmirror update bash
Mark Mays
Great! Thanks. Clearing the cache worked.
Henry Grebler
I really appreciate all the work done to respond to Shellshock by the
people at Fedora and the wider Linux community; and I do understand
about limited resources.
However, I have a small quibble which I think is perhaps more
significant given this is a security issue. Looking at the fix for
fedora 19, the rpm is called bash-4.2.48-2.fc19.i686.rpm. Similar
numbers appear if ‘rpm –query -i’ is used:
Name : bash
Version : 4.2.48
Release : 2.fc19
Architecture: i686
But these numbers are not the same as that reported by the software
itself:
GNU bash, version 4.2.48(1)-release (i686-redhat-linux-gnu)
You might think you are still running the version with the problem.
You can get a similar (incorrect) version string without running the
software:
@(#)Bash version 4.2.48(1) release GNU
I would like to be able to get positive confirmation that I have a
fixed binary without having to run potentially compromised software.
At least, the binary would contain and display the same version as
claimed in the package. Ideally, it would also contain a string like
to the Shellshock bug.
I’m guessing that the current spate of fixes (I think Red Hat’s are
different) are interim measures; that in the fullness of time GNU will
come out with newer versions of bash containing fixes. These will have
higher rev numbers and will be clearly identifiable.
Deep
Any help on Fedora 8?
Joe Brockmeier
Fedora 8 is well, well past its end of life. You should probably upgrade to a current release.