CentOs Fix for Bash Bug ( CVE-2014-6271 & CVE-2014-7169 )

Bash, aka the Bourne-Again Shell, has a newly discovered security hole which has been officially documented as CVE-2014-6271 & CVE-2014-7169. And, for many Unix or Linux Web servers, it’s a major problem.

The flaw involves how Bash evaluates environment variables. With specifically crafted variables, a hacker could use this hole to execute shell commands. This, in turn, could render a server vulnerable to ever greater assaults.

 

After couple of days trouble today we got a fix from Centos for the so famous bash security issue ( For known loop holes

CVE-2014-6271 & CVE-2014-7169 )

CentOS 5 Fix :-

* i386:

( sha256sum ) 9755e86ad8536c908f95340be308190b52989bfa0d9268a461c40a3f0d493bc7 : bash-3.2-33.el5_10.4.i386.rpm

* x86_64:

( sha256sum) b1e14edd0d675c6fb0be64cb875fbd9fac208a58e427ea32f373c9359b35642c : bash-3.2-33.el5_10.4.x86_64.rpm

CentOS 6 Fix: –

* x86_64:

http://mirror.centos.org/centos/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm

* i386:

http://mirror.centos.org/centos/5/updates/i386/RPMS/bash-3.2-33.el5_10.4.i386.rpm

Test Output : –

[root@ ~]# rpm -qa | grep bash

bash-3.2-32.el5

[root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;

bash: X: line 0: syntax error near unexpected token `=’

bash: X: line 0: `X () { (a)= >\’

bash: error importing function definition for `X’

date

[root@ ~]#

* After updating to latest bash rpm.

[root@ ~]# rpm -qa | grep bash

bash-3.2-33.el5_10.4

[root@ ~]#

[root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;

date

[root@ ~]#

 

This entry was posted in Linux. Bookmark the permalink.

Leave a Reply

Your email address will not be published.