update for "Shell Shock" / or how to remove bash

[Hodor]

Hi, is there an update for the 'shell shock' bug yet, or advice on how to remove bash or otherwise deal with this?
when I try to sudo apt-get update, I get an error 'Could not resolve 'dl.google.com' - any advice?
Could not resolve 'dl.google.com'



Thanks

[Newbunto]

Is there any specific information about this vulnerability, never mind about how to deal with it?

What is the vulnerability? Who is vulnerable and who is not? What is the attack mechanism?

[Newbunto]

Some info:

https://blog.cloudsecurityalliance.o...an-heartbleed/

https://access.redhat.com/articles/1200223

I've already seen Robert Graham's mass scan visit one of my web servers checking for this vulnerability.

[chris294]

https://community.qualys.com/blogs/s...-cve-2014-6271

doesn't matter too much - easy to fix and test.

A simple test to check if your Bash is vulnerable is available publicly.

• $ env var='() { ignore this;}; echo vulnerable' bash -c /bin/true

Upon running the above command, an affected version of bash will output "vulnerable".

Once the patch has been applied, the same test will return the following result.

• bash: warning: var: ignoring function definition attempt
• bash: error importing function definition for 'var'

if vulnerable then ..
apt-get update
apt-get install bash
then re-run the above test
then go have a milkshake

[moda2]

test if your bash is vulnerable

# env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

[deadflowr]

Hi, is there an update for the 'shell shock' bug yet, or advice on how to remove bash or otherwise deal with this?
when I try to sudo apt-get update, I get an error 'Could not resolve 'dl.google.com' - any advice?
Could not resolve 'dl.google.com'

Seems that's a google repo.
Do you have google packages installed?
You might temporarily try disabling those repos so the update manager can get the ubuntu packages updated.
After that try re-enabling them after the ubuntu packages are updated.

And bash is an essential package, so don't try removing it.

Is there any specific information about this vulnerability, never mind about how to deal with it?

What is the vulnerability? Who is vulnerable and who is not? What is the attack mechanism?

Ubuntu Security Notices
http://www.ubuntu.com/usn/

The Bash security notice
http://www.ubuntu.com/usn/usn-2362-1/

[Lars Noodén]

The Bash security notice
http://www.ubuntu.com/usn/usn-2362-1/

These notices are also sent out via the security mailing list, if you (@hodor) want to follow:
https://lists.ubuntu.com/mailman/lis...urity-announce
They include only a little explanation but do provide pointers to more.

Otherwise, checking for and applying updates daily works.

I wonder if this bug will be marketed as a brand name like another recent one that does not need to be mentioned.

[Hodor]

Thanks everyone for the help - all sorted.

[oldrocker99]

oops

[deadflowr]

These notices are also sent out via the security mailing list, if you (@hodor) want to follow:
https://lists.ubuntu.com/mailman/lis...urity-announce
They include only a little explanation but do provide pointers to more.

Otherwise, checking for and applying updates daily works.

I wonder if this bug will be marketed as a brand name like another recent one that does not need to be mentioned.

+1 to subscribing to the mailing list, you can eiher get an email per announcement(bug alert) or a daily digest.
+2 to setting security updates to daily.

ShellShock is the Branded Name, so far.