Are You Vulnerable to Shellshock

Run the following two commands,

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

If you see “busted” then you are vulnerable. When I try it on my pc, second command reveal my ubuntu is vulnerable for shellshock. On Ubuntu, /bin/sh is not bash (it is dash). Only bash is affected by this vulnerability. But latest upgrade have fixed the issue.

Use dpkg to check your installed package version:

dpkg -s bash | grep Version

This will look up info on your bash package, and filter the output to only show you the version. The fixed versions are 4.3-7ubuntu1.4, 4.2-2ubuntu2.5, and 4.1-2ubuntu3.1.

For example, I see:

dpkg -s bash | grep Version
Version: 4.3-7ubuntu1.4

and can determine that I am not vulnerable. (when I was vulnerable to shellshock Version: 4.3-7ubuntu1)

The standard update manager will offer you this update. This is a prime example of how security updates are important, no matter what OS you use or how well-maintained it is.

The USN Bulletin states that new versions have been released for Ubuntu 14.04 Trusty Tahr, 12.04 Precise Pangolin, and 10.04 Lucid Lynx (This is why I’m like to stick to a LTS versions). If you are not on one of these LTS versions, but are on a reasonably-recent version, you’ll most likely be able to find a patched package.






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s