BASH Vulnerability for RHEL4

Latest response

I have one RHEL4 release 8 box. will purchasing a self support enable me to update the bash?


If you have access to customer portal you can go to downloads -> product downloads -> Red Hat Enterprise Linux. Change the version to 4 and click on packages and filter bash.

Hope that helps.

Swapnil Jain

Swapnil I tried the latest bash rpm for my redhat 4 operating system but the latest bash download didn't fix the bug. Any ideas.

RHEL 4 is in it's extended life phase and security updates will be only available to customers who have a active subscription. Oracle has provided a patched version but you will have to try it on your own risk.

src rpm is also available at

You will need to compile it and do rpmbuild



If you have ANY active Standard or Premium support entitlement, not the Extended Lifecycle Support, we will provide an RPM for this particular issue.

Please open a support case.

RHEL 4 was addressed in Red Hat's overview.

Red Hat Enterprise Linux 4 bash-3.0-27.el4.2 Red Hat Enterprise Linux 4 ELS


I've looked in the customer portal and it's saying 3.0.27.el4 is the latest, however the updated version should be bash-3.0-27.el4.2.

bash-3.0-27.el4.2 is not available anywhere on the RH site I can find. Its still reporting 3.0.27.el4 as the latest version. Got a link?

I am seeing the same thing, can't see bash-3.0-27.el4.2 even though it's referred to in the security advisory.

Above still shows el4 as latest (2011-01-10 is latest changelog).

Is it because my account lacks 'Extended Lifecycle Support' subscription?

I think this may need to be raised with Red Hat support for clarification.

If you have a RHEL Standard or Premium entitlement, but not ELS, please open a support case. The updated RPM will be supplied to you via case attachments. Red Hat is providing this security fix as an exception. To ensure you get future fixes they should contact their local sales team for ELS plan or initiate migration plan from RHEL 4 to a supported RHEL release.

Hello, my system has:
agarve11# cat /proc/version
Linux version 2.6.18-308.20.1.el5 ( (gcc version 4.1.2 20080704 (Red Hat 4.1.2-52)) #1 SMP Tue Nov 6 04:38:29 EST 2012
agarve11# rpm -qa bash

and is vulnerable:

agarve11# env x='() { :;}; echo vulnerable' bash -c "echo test"

as I can download the patches to fix the problem?

thank you

TMA Telefonica,

The reason you likely can't download the patches is that you do not have extended lifecycle support on your RHEL 4 license. As Jamie has mentioned above, open a Support Case with Red Hat (using your standard support) and they will provide you with a patch for RHEL 4 that fixes the vulnerability.

I have no trouble downloading files.
But I do not know which file down. Because for RHEL 4, the latest version of bash is bash-3.0-27.el4.x86_64.rpm, and I have the bash-3.2-32.el5_9.1 version.

You look to have a RHEL 5 bash package installed on RHEL 4.

What does

cat /etc/redhat-release


agarve11# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.8 (Tikanga)

bash.x86_64 0:3.2-33.el5_11.4

agarve11# env x='() { :;}; echo vulnerable' bash -c "echo test"

thank you very much

Another query,
correctly install the patch on multiple servers, but one came the following error:
Is this ok [y/N]: y
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 37017186

Public key for bash-3.2-33.el5_11.4.x86_64.rpm is not installed

what should I do?

and I solved it with:

$ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release


Hi, i have a server installed with RHEL4.4, one of the user had installed bash-3.0-27.0.2.x86_64.rpm but in site i could see this as to be installed to fix the issue bash-3.0-27.el4.4.x86_64.rpm.

If i try to upgrade it says already have latest version bash-3.0-27.0.2, do the package still vulnerable or not

To test your system, you can simply run this script below to find if you're vulnerable.

curl | bash

Swapnil Jain

I am getting like this, how to fix it

[root@ tmp]# ./
CVE-2014-6271 (original shellshock): not vulnerable
./ line 17: 3376 Segmentation fault shellshocker="() { x() { _;}; x() { _;} <<a; }" bash -c date 2>/dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): VULNERABLE
CVE-2014-7169 (taviso bug): not vulnerable
./ line 50: 3393 Segmentation fault bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
bash: line 129: syntax error near x129'
bash: line 129:
for x129 in ; do :'
CVE-2014-7187 (nested loops off by one): VULNERABLE
CVE-2014-//// (exploit 3 on not vulnerable

Yes it is VULNERABLE, you can have more information on, they also have instruction on patching your bash.

Swapnil Jain