How do I patch the shellshock vulnerability on an obsolete Ubuntu system that I can't upgrade?

Question

I have a system that I administer remotely (2 timezones away) that runs Ubuntu 9.04, Jaunty. For various reasons, mainly that I'm really leery about trying to do a distribution upgrade from so far away, I can't upgrade it to a more recent version. Obviously it's no longer supported and there aren't any official patches. Are there instructions available as to how I can patch the code and recompile bash myself to remove the shellshock vulnerabilities?

score 29 · Accepted Answer · edited Apr 13 '17 at 12:22

Stole this from AskUbuntu, from someone who stole it off of Hacker News. Worked on two old servers for me

mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 1 28); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz 
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 1 28);do patch -p0 < ../bash43-$i; done
#build and install
./configure --prefix=/ && make && make install
cd .. 
cd ..
rm -r src

Update: I just noticed that if you don't add --prefix=/ to the configure command you'll end up with /usr/local/bin/bash that is up to date and /bin/bash will still be vulnerable.

score 2 · Answer 2 · answered Sep 25 '14 at 21:37

There's also a solution of updating your sources.list to the newest one and then using apt-get to upgrade only bash. It's really quick and I've written an article about it. Here's what you basically do:

Upgrade to latest Ubuntu 'trusty' apt-get repositories (you might also have to change old-repositories.ubuntu.com URLs if you use them, check linked article):

sudo sed -i 's/YOUR_OS_CODENAME/trusty/g' /etc/apt/sources.list

Upgrade bash / apply fix:

sudo apt-get update
sudo apt-get install --only-upgrade bash

And possibly change back apt-get repositories.

score -1 · Answer 3 · edited Sep 27 '14 at 07:06

-1

The command should be

sudo apt-get update && sudo apt-get install --only-upgrade bash

edited Sep 27 '14 at 07:06

Mokubai

95,412

answered Sep 27 '14 at 05:33

ColdenZero

9

score -3 · Answer 4 · answered Sep 26 '14 at 06:23

One simple option is just not to use bash. Make sure dash is installed and that /bin/sh is a symlink to dash, not bash. (This is the default on some versions of Debian, but I'm not sure about Ubuntu.) If you have user accounts for ssh access with forced commands, you need to change their login shells too. You might also need to check for any scripts explicitly using bash; grepping for #!/bin/bash should find them.

How do I patch the shellshock vulnerability on an obsolete Ubuntu system that I can't upgrade?

4 Answers4

Linked