Updating bash to patch Shellshock on discontinued CentOS 4.8
By now, this week's news of the Shellshock vulnerability has quieted to a bit of a rumble. What a mess, and to think that this exploit has been possible for such a long time...
What to do about old Linux distros, then? Yes, the rule of thumb is that if the distro is no longer widely supported, one should move off of it, or at least put it behind something more secure. But what if there is a single application which requires just that particular old distro, and will not play nicely with anything newer, and what if that particular app is proprietary, and no longer available?
I found myself in just this situation this week. I have an app running quite happily on CentOS 4.8 32-bit, and have seen no reason to replace it. CentOS 4.8 is still installable on modern hardware, so should a catastrophic hardware failure occur, I could get back up and running in a short period of time. The app (unfortunately) does have some exposure to the outside world, albeit over SSL (and no, Heartbleed is not a concern). However, there is some CGI involved, and this is what brought the situation to my immediate attention.
Using VirtualBox, I built both 32 and 64-bit CentOS 4.8 and 3.9 VMs, and applied the latest patches (through bash30-019 bash30-022 - CentOS 4.8 - and bash205b-013 - CentOS 3.9) to address the following:
CVE-2014-6271 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 CVE-2014-6277 CVE-2014-6278
(plus additional related fixes)
I've packaged updated RPMs on my FTP server, here. From the readme:
A comprehensive Shellshock test may be found here.
Notes:
The above test, when run on my systems, results in the following:
i386:
Testing /bin/bash ... GNU bash, version 3.00.21(1)-release (i686-redhat-linux-gnu) Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Not vulnerable to CVE-2014-6277 (lcamtuf bug #1) Not vulnerable to CVE-2014-6278 (lcamtuf bug #2) Variable function parser inactive, likely safe from unknown parser bugs
x86_64:
Testing /bin/bash ... GNU bash, version 3.00.21(1)-release (x86_64-redhat-linux-gnu) Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Not vulnerable to CVE-2014-6277 (lcamtuf bug #1) Not vulnerable to CVE-2014-6278 (lcamtuf bug #2) Variable function parser inactive, likely safe from unknown parser bugs
The post with several manual tests is here.
Also, the test for CVE-2014-7187 is inconclusive, due to the lack of an address sanitizer (gcc option -fsanitize=address). This feature was added to gcc 4.8, and these builds were made with gcc 3.4.6, thus no address sanitizer was available. I'm open to suggestions (short of trying to build gcc 4.8 on CentOS 4.8).
More discussion on these builds may be found here.
Finally, I've uploaded the latest spec files to my FTP server, for the curious and the do-it-yourself-ers. (Thanks for the suggestion, Justin!)
I hope they prove useful. Good luck!
Last Updated on by LewisR
Related posts:
- Mass renaming files at the OS/2 command line Sometimes, command shells are simply inadequate to the task. This...
- The Telltale Hard Drive Sometimes, the whole power management and power saving business can...
- Ramdom thoughts on the 2011 (and beyond?) Firefox release schedule Why is it that all major design decisions seem to...
- Broken Windows updates for .NET Why should applying patches be so difficult? Why does Microsoft...
- Updating the TCPDF library in Joomla! 1.5 In a few brief steps, you can protect your...
Enjoy this article?
Recent Posts
- Novell Client for Windows (32-bit) Internal Error 0x00008993
- Noisy utility company email
- The importance of Common User Access design guidelines in 2018
- Navigating Coinbase’s customer support
- Configuring the IOGEAR GWU627 wireless ethernet bridge device under ArcaOS (and OS/2)
Categories
Support Pages
Posts by Date
S | M | T | W | T | F | S |
---|---|---|---|---|---|---|
« Jun | ||||||
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 |
Log In
Email Notifications
RSS Feeds
Recent Comments
- LewisR on Installing Windows Server 2008 R2 x64 on the HP Proliant DL380 G4
- LewisR on Installing Windows Server 2008 R2 x64 on the HP Proliant DL380 G4
- justintd on Installing Windows Server 2008 R2 x64 on the HP Proliant DL380 G4
- LewisR on WP Post to PDF Enhanced
- pdfsc on WP Post to PDF Enhanced
October 2nd, 2014 - 01:46
Updated to include Patch 20, which addresses CVE-2014-6278 (patch for 6277 still pending). See FTP server link above, and be sure to check the updated readme. We expect at least one more round of patches, and I'll likely update the post itself to include the later information.
October 7th, 2014 - 18:30
Updated to include Patches 21 and 22 (for bash 3.0) and through Patch 13 (for bash 2.05b). Follow the FTP link above to download binaries and readmes relevant to the different CentOS versions (simply go to the /pub/CentOS/3.9 directory for the older ones).
We'll see what other patches may come through for these, and I'll try to keep up as best I can.
October 20th, 2014 - 00:10
Updated to mention builds for CentOS 3.9 and availability of spec files.