BASH Vulnerability for RHEL4

Latest response

I have one RHEL4 release 8 box. will purchasing a self support enable me to update the bash?

Internal Support's picture

Responses

If you have access to customer portal you can go to downloads -> product downloads -> Red Hat Enterprise Linux. Change the version to 4 and click on packages and filter bash.

Hope that helps.

-
Swapnil Jain

Swapnil I tried the latest bash rpm for my redhat 4 operating system but the latest bash download didn't fix the bug. Any ideas.

RHEL 4 is in it's extended life phase and security updates will be only available to customers who have a active subscription. Oracle has provided a patched version but you will have to try it on your own risk.

http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.1.el4.i386.rpm
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.3.el4.i386.rpm

src rpm is also available at https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.el4.src.rpm

You will need to compile it and do rpmbuild

HTH

Swapnil

If you have ANY active Standard or Premium support entitlement, not the Extended Lifecycle Support, we will provide an RPM for this particular issue. Please open a support case.
RHEL 4 was addressed in Red Hat's overview.
https://access.redhat.com/articles/1200223 Red Hat Enterprise Linux 4 bash-3.0-27.el4.2 Red Hat Enterprise Linux 4 ELS

Hello,

I've looked in the customer portal and it's saying 3.0.27.el4 is the latest, however the updated version should be bash-3.0-27.el4.2.

bash-3.0-27.el4.2 is not available anywhere on the RH site I can find. Its still reporting 3.0.27.el4 as the latest version. Got a link?

I am seeing the same thing, can't see bash-3.0-27.el4.2 even though it's referred to in the security advisory. https://access.redhat.com/downloads/content/rhel---4/x86_64/2023/bash/3.0-27.el4/x86_64/db42a60e/package Above still shows el4 as latest (2011-01-10 is latest changelog). Is it because my account lacks 'Extended Lifecycle Support' subscription? I think this may need to be raised with Red Hat support for clarification.
If you have a RHEL Standard or Premium entitlement, but not ELS, please open a support case. The updated RPM will be supplied to you via case attachments. Red Hat is providing this security fix as an exception. To ensure you get future fixes they should contact their local sales team for ELS plan or initiate migration plan from RHEL 4 to a supported RHEL release.

Hello, my system has:
agarve11# cat /proc/version
Linux version 2.6.18-308.20.1.el5 (mockbuild@x86-023.build.eng.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-52)) #1 SMP Tue Nov 6 04:38:29 EST 2012
agarve11# rpm -qa bash
bash-3.2-32.el5_9.1

and is vulnerable:

agarve11# env x='() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
test

as I can download the patches to fix the problem?

thank you

TMA Telefonica,

The reason you likely can't download the patches is that you do not have extended lifecycle support on your RHEL 4 license. As Jamie has mentioned above, open a Support Case with Red Hat (using your standard support) and they will provide you with a patch for RHEL 4 that fixes the vulnerability.

I have no trouble downloading files.
But I do not know which file down. Because for RHEL 4, the latest version of bash is bash-3.0-27.el4.x86_64.rpm, and I have the bash-3.2-32.el5_9.1 version.
You look to have a RHEL 5 bash package installed on RHEL 4. What does
cat /etc/redhat-release
Provide?

agarve11# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.8 (Tikanga)
agarve11#

ok.
Updated:
bash.x86_64 0:3.2-33.el5_11.4 Complete!
agarve11#
agarve11#
agarve11# env x='() { :;}; echo vulnerable' bash -c "echo test"
test thank you very much
Another query,
correctly install the patch on multiple servers, but one came the following error:
Is this ok [y/N]: y
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 37017186 Public key for bash-3.2-33.el5_11.4.x86_64.rpm is not installed what should I do?
and I solved it with: $ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release thank
Hi, i have a server installed with RHEL4.4, one of the user had installed bash-3.0-27.0.2.x86_64.rpm but in site i could see this as to be installed to fix the issue bash-3.0-27.el4.4.x86_64.rpm. If i try to upgrade it says already have latest version bash-3.0-27.0.2, do the package still vulnerable or not
To test your system, you can simply run this script below to find if you're vulnerable. curl https://shellshocker.net/shellshock_test.sh | bash --
Swapnil Jain
www.techpage3.com

I am getting like this, how to fix it

[root@ tmp]# ./test.sh
CVE-2014-6271 (original shellshock): not vulnerable
./test.sh: line 17: 3376 Segmentation fault shellshocker="() { x() { _;}; x() { _;} <<a; }" bash -c date 2>/dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): VULNERABLE
CVE-2014-7169 (taviso bug): not vulnerable
./test.sh: line 50: 3393 Segmentation fault bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
bash: line 129: syntax error near x129'
bash: line 129:
for x129 in ; do :'
CVE-2014-7187 (nested loops off by one): VULNERABLE
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Yes it is VULNERABLE, you can have more information on shellshocker.net, they also have instruction on patching your bash.

--
Swapnil Jain
www.techpage3.com

Was this helpful?

We appreciate your feedback. Leave a comment if you would like to provide more detail.
It looks like we have some work to do. Leave a comment to let us know how we could improve.
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.