Updated Bash packages now available via Fedora updates

The updated Bash packages for Fedora 19, 20 and 21 Alpha are now available in the official Fedora repositories. These updated packages provide fixes that resolve CVE-2014-6271 and CVE-2014-7169 (the issue that has been labeled “Shellshock”)

To get these updated packages, either update using the Software application, or run the following command in the terminal to download and install all the updates for your system:

sudo yum update

At the time of writing, the most up-to-date versions of Bash that resolve the CVEs are:

Fedora 21: bash-4.3.25-2.fc21
Fedora 20: bash-4.2.48-2.fc20
Fedora 19: bash-4.2.48-2.fc19

To err on the side of caution, if you previously installed one of these builds from Koji (the Fedora Buildsystem) as per these instructions, it would be prudent to reinstall the package from the official Fedora repositories to ensure that you are running a signed version of the updated Bash package. To reinstall Bash for your system, use the command:

sudo yum reinstall bash

It is also important to note that older versions of Fedora (Fedora 18 or older) are currently deemed unsupported (“End of Life”), so no updated versions of Bash will be released for these via the official Fedora repositories. It is recommended that you migrate or upgrade your system to a version of Fedora that is supported (i.e. Fedora 19 or Fedora 20).

Shell based off "Shell" - CC-BY 3.0 by Guillaume Kurkdjian -- http://thenounproject.com/term/shell/40512/

Shell based off “Shell” – CC-BY 3.0 by Guillaume Kurkdjian — http://thenounproject.com/term/shell/40512/

 

Fedora Project community

11 Comments

  1. Hi All,

    Any idea when the fix for fedora 16 is coming?

    Thanks
    Vivek

    • Vivek, please see https://fedoraproject.org/wiki/End_of_life — we have limited resources and concentrate them on our current releases. You can rebuild bash yourself, or (my recommendation!) upgrade to Fedora 20.

    • Henry Grebler

      Hi Vivek,

      I run fedora 16 and fedora 18 and I can’t see myself finding the
      several hours to upgrade any time soon. Here’s a couple of convenient
      if unorthodox solutions for those of us with older fedoras. YMMV.

      Cheers, henry

      I got the fixed bash for fedora 19 following instructions in this article:

      http://fedoramagazine.org/shellshock-update-bash-packages-that-resolve-cve-2014-6271-and-cve-2014-7169-available/

      (In the comments, there are suggestions mentioning CenotOS that are
      worth considering.)

      You’ll end up with bash-4.2.48-2.fc19.i686.rpm in /tmp (or somewhere convenient).

          RPM=bash-4.2.48-2.fc19.i686.rpm

      I tried to install it but when I tested it I got:

          rpm --install --test $RPM

      error: Failed dependencies:
      filesystem \’ bash -c “echo date”; \
      cat /tmp/echo)
      date
      cat: /tmp/echo: No such file or directory

      If you’re not completely certain, go back to the first session and
      undo the mod:

          mv bash bash.jic; mv bash.Shellshock bash

      Check your work and start again.

      This worked for me for fedora 16 and fedora 18 running on different VMs
      on different host machines.

  2. John Dorflinger

    Thank you for the clarity and easy fix.

  3. Soren

    Why is Fedora using Bash as the system shell? Debian seems to go with Dash based on the idea that the simplest possible system shell is the most secure one (kinda makes sense).

  4. Mark Mays

    For Fedora 20, no update is appearing in my repo and my bash version is still 4.2.47. Any ideas on why the update isn’t appearing?

    • Hi Mark,

      This could be a few things. It might be that your yum cache is old and it is not finding the new packages. You could try cleaning out the yum cache with:

      sudo yum clean all

      then trying to update bash with

      sudo yum update bash

      Or it could be that you have the fastestmirror plugin installed, and it is finding a mirror that has old packages. You could try the following command to disable the plugin and try to install bash:

      sudo yum –disableplugin=fastestmirror update bash

  5. Henry Grebler

    I really appreciate all the work done to respond to Shellshock by the
    people at Fedora and the wider Linux community; and I do understand
    about limited resources.

    However, I have a small quibble which I think is perhaps more
    significant given this is a security issue. Looking at the fix for
    fedora 19, the rpm is called bash-4.2.48-2.fc19.i686.rpm. Similar
    numbers appear if ‘rpm –query -i’ is used:

    Name : bash
    Version : 4.2.48
    Release : 2.fc19
    Architecture: i686

    But these numbers are not the same as that reported by the software
    itself:

        bash.fc19 --version | head -1

    GNU bash, version 4.2.48(1)-release (i686-redhat-linux-gnu)

    You might think you are still running the version with the problem.

    You can get a similar (incorrect) version string without running the
    software:

        strings /bin/bash.fc19 | grep 'Bash version'

    @(#)Bash version 4.2.48(1) release GNU

    I would like to be able to get positive confirmation that I have a
    fixed binary without having to run potentially compromised software.
    At least, the binary would contain and display the same version as
    claimed in the package. Ideally, it would also contain a string like

        Fixed by the Fedora team 2014 September 26 in response
        to the Shellshock bug.

    I’m guessing that the current spate of fixes (I think Red Hat’s are
    different) are interim measures; that in the fullness of time GNU will
    come out with newer versions of bash containing fixes. These will have
    higher rev numbers and will be clearly identifiable.

  6. Deep

    Any help on Fedora 8?

    • Joe Brockmeier

      Fedora 8 is well, well past its end of life. You should probably upgrade to a current release.

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: