我们正在运行 Debian Etch、Lenny 和 Squeeze,因为这家商店从未进行过升级;我们有超过 150 个系统运行各种 Debian 版本。鉴于本周的“炮弹休克”,我认为我需要升级 bash。我不了解 Debian,所以我很担心。
apt-get install bash当我的存储库指向 Squeeze 条目时,我可以仅在所有 Debian 系统上执行并获取正确的 Bash 包吗?如果没有,我还有什么其他行动方案?
答案1
您可以选择仅升级 bash。为此,请使用以下apt-get命令:
apt-get update
然后在更新获取所有可用更新后运行:
apt-get install --only-upgrade bash
要获取旧版本(例如 Squeeze)的更新,您可能需要将 Squeeze-LTS 存储库添加到您的sources.list中。
要添加此存储库,请编辑/etc/apt/sources.list以下行并将其添加到文件末尾。
deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib
要检查特定系统是否存在漏洞(或查看升级是否有效),您可以检查您正在使用的 bash 版本,看看该版本是否受到影响(可能是)或者有大量的 shell 测试脚本可以在网上找到。
编辑1
要升级bashLenny 或 Etch,请查看下面 Ilya Sheershoff 的答案,了解如何从源代码编译并手动升级您的版本正在使用的bash版本。bash
编辑2
sources.list以下是我成功升级的 Squeeze 服务器的示例文件:
deb http://ftp.us.debian.org/debian/ squeeze main
deb-src http://ftp.us.debian.org/debian/ squeeze main
deb http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main
# squeeze-updates, previously known as 'volatile'
deb http://ftp.us.debian.org/debian/ squeeze-updates main
deb-src http://ftp.us.debian.org/debian/ squeeze-updates main
# Other - Adding the lsb source for security updates
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
答案2
如果该apt-get install选项不起作用,您需要从源代码重新编译 bash。答案中有 Lenny 和 Etch 的例子。我没有任何挤压机,但可以很容易地弄清楚该怎么做。
这TaNNkoST 的解决方案我在网上查到:
检查可用补丁的数量,如果有新补丁,请更改“(seq”部分中的数字。
为了莱尼
#first find out the version you have so you know what to get for the patches and source files
dpkg-query -l|grep bash
ii bash 4.1-3 The GNU Bourne Again SHell
#do this in the /usr/src dir
cd /usr/src
wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
tar zxvf bash-4.1.tar.gz
cd bash-4.1
# fetch all patches, including latest ones that patches CVE-2014-6271
for i in $(seq -f "%03g" 0 14); do
wget -nv http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-$i
patch -p0 < bash41-$i
done
# check if yacc is installed. if not - install yacc
apt-get install bison
# configure,compile and install bash (this will install bash into /usr/local/bin/bash)
./configure && make
make install
# make a symlink from /bin/bash to the new binary
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash
# check that you're not vulnerable anymore wiith the output of the following
# it should not output vulnerable word anymore
env x='() { :;}; echo vulnerable' bash -c echo
#you can Delete the old one thats a problem
rm /bin/bash.old
用于蚀刻我遵循了相同的逻辑,但我还没有yacc在系统上安装,所以我必须bison为此安装软件包。这是我想出的:
#first find out the version you have so you know what to get for the patches and source files
dpkg-query -l|grep bash
ii bash 3.2-4 The GNU Bourne Again SHell
#do this in the /usr/src dir
cd /usr/src
wget http://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz
tar zxvf bash-3.2.tar.gz
cd bash-3.2
# fetch all patches, including latest ones that patches CVE-2014-6271
for i in $(seq -f "%03g" 0 54); do
wget -nv http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i
patch -p0 < bash32-$i
done
# check if yacc is installed. if not - install yacc
apt-get install bison
# configure,compile and install bash (this will install bash into /usr/local/bin/bash)
./configure && make
make install
# at this point my system is not vulnerable already, test your system
env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
# if this is not the case for your system - try the following
# make a symlink from /bin/bash to the new binary
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash
# check that you're not vulnerable anymore wiith the output of the following
# it should not output vulnerable word anymore
env x='() { :;}; echo vulnerable' bash -c echo
#you can Delete the old one thats a problem
rm /bin/bash.old
答案3
不确定您是否想信任这些软件包,但有人已经为 woody (3.0)、sarge (3.1)、etch (4.0) 和 lenny (5.0) 构建了软件包。它们可以在这里找到:
http://blog.bofh.it/debian/id_451
请注意,没有用于通过安装这些软件包的存储库apt-get。您需要使用dpkg或创建自己的本地存储库。
答案4
要在许多不同的操作系统上更新 Bash,您可以使用通用脚本脱壳休克。