Fixing CVE-2014-6271 remote code execution through bash on Ubuntu and CentOS

Fixing CVE-2014-6271

In many common configurations, this vulnerability is exploitable over the network.

Chet Ramey, the GNU bash upstream maintainer, will soon release official upstream patches.

Issue with CVE-2014-6271

Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name.

Quick responses from distributions

Ubuntu’s statement is available here:

CentOS release this:

RedHat released this:

Are you vulnerable to CVE-2014-6271?

On your GNU/Linux system, type echo $0. If the output is -bash, you are running bash.

Test if your system is vulnerable. Ensure that your shell is bash. If you aren’t on bash, you can type bash to get to bash-shell.

You are vulnerable if the output is:
this is a test

Fix CVE-2014-6271 on Ubuntu

Type this

Ubuntu 10.04LTS may use

Ensure that the output contains something like this:

The following packages will be upgraded:

1 upgraded, 0 newly installed, 0 to remove…

Test for vulnerability again. If possible, reboot the system.

Fix CVE-2014-6271 on CentOS

On RedHat/CentOS, use this command and rest for vulnerability

Ensure that the output contains something like this:

bash.x86_64 0:3.2-33.el5.1 (your version may be different)