# Linux Bash security flaw - September 2014

Sep 24, 2014 threads:

* <http://www.metafilter.com/143038/Running-a-server-Drop-everything-and-update-it-now>
* <https://news.ycombinator.com/item?id=8361574>
* <https://news.ycombinator.com/item?id=8364746>
* <https://news.ycombinator.com/item?id=8365158>
* <https://news.ycombinator.com/item?id=8365110>

Stories:

* <http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html>
* <http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html>
* <http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021/>
* <http://www.zdnet.com/first-attacks-using-shellshock-bash-bug-discovered-7000034044/>


To test if machine is vulnerable, execute at the command prompt:

`env x='() { :;}; echo vulnerable' bash -c "echo this is a test"`


On my Digital Ocean-hosted Ubuntu server, the system returned:

`vulnerable  
this is a test`

I updated Bash by executing:

    sudo apt-get update &amp;&amp; sudo apt-get install --only-upgrade bash


Then after executing `env x='() { :;}; echo vulnerable' bash -c "echo this is a test"` again, the system returned:

    bash: warning: badvar: ignoring function definition attempt 
    bash: error importing function definition for `badvar'
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test

But as of Sep 24, 2014, the update is only a partial fix.

I tested the servers that host my other sites, and those servers did not show the vulnerability.  I would not be able to update those servers, since my accounts exist on shared servers.



 #linux - #security

markdown=yes