哪里可以下载一套完整的修补 bash 源代码来解决“shellshock”漏洞

哪里可以下载一套完整的修补 bash 源代码来解决“shellshock”漏洞

下载 bash-4.3 并应用补丁 1 至 25(来自http://ftp.gnu.org/gnu/bash),编译后的 bash 版本仍然受到两个潜在漏洞的影响(如以下文章所述:https://access.redhat.com/articles/1200223

我的问题是:是否有人知道我可以在哪里下载剩余的补丁或从信誉良好的站点下载完整修补的源代码集?

以下是链接文章中的相关片段:

The versions with only the original CVE-2014-6271 fix applied 
produce the following output:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash: error importing function definition for `BASH_FUNC_x()'
test

The fix for CVE-2014-7169 ensures that the system is protected from the file 
creation issue. To test if your version of Bash is vulnerable to CVE-2014-7169,
run the following command:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014

If your system is vulnerable, the time and date information will be output on the
screen and a file called /tmp/echo will be created.

If your system is not vulnerable, you will see output similar to:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory

答案1

针对 CVE-2014-7169 的补丁最初发布在这里: http://www.openwall.com/lists/oss-security/2014/09/26/1

后来它们被推送到官方 GNU ftp 站点:https://ftp.gnu.org/gnu/bash/

它们需要在针对 CVE-2014-6271 的补丁之上应用

答案2

你的操作系统是什么?我只是按照这里针对 EOL Ubuntu 系统的说明操作,效果很好: http://ubuntuforums.org/showthread.php?t=2245682&p=13128872#post13128872

改编自https://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it/528171#528171

我认为 3.2 版本适用于 32 位,而 4.3 版本适用于 64 位,现在尝试确认这一点...

答案3

对于 Debian 及其衍生产品 (Ubuntu/Mint) 用户,修复后的 Bash 已在存储库中。要修复它,只需键入apt-get update && apt-get install --only-upgrade bash

答案4

对于 Fedora 20,bash 的修复版本也在存储库中。

相关内容