BASH Vulnerability for RHEL4
I have one RHEL4 release 8 box. will purchasing a self support enable me to update the bash?
Responses
Community Member
75 points
If you have access to customer portal you can go to downloads -> product downloads -> Red Hat Enterprise Linux. Change the version to 4 and click on packages and filter bash.
Hope that helps.
-
Swapnil Jain
Swapnil I tried the latest bash rpm for my redhat 4 operating system but the latest bash download didn't fix the bug. Any ideas.
Community Member
75 points
RHEL 4 is in it's extended life phase and security updates will be only available to customers who have a active subscription. Oracle has provided a patched version but you will have to try it on your own risk.
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.1.el4.i386.rpm
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.3.el4.i386.rpm
src rpm is also available at https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.el4.src.rpm
You will need to compile it and do rpmbuild
HTH
Swapnil
Guru
6888 points
RHEL 4 was addressed in Red Hat's overview.
https://access.redhat.com/articles/1200223
Red Hat Enterprise Linux 4 bash-3.0-27.el4.2 Red Hat Enterprise Linux 4 ELS
Hello,
I've looked in the customer portal and it's saying 3.0.27.el4 is the latest, however the updated version should be bash-3.0-27.el4.2.
bash-3.0-27.el4.2 is not available anywhere on the RH site I can find. Its still reporting 3.0.27.el4 as the latest version. Got a link?
Guru
6730 points
I am seeing the same thing, can't see bash-3.0-27.el4.2 even though it's referred to in the security advisory.
Above still shows el4 as latest (2011-01-10 is latest changelog).
Is it because my account lacks 'Extended Lifecycle Support' subscription?
I think this may need to be raised with Red Hat support for clarification.
If you have a RHEL Standard or Premium entitlement, but not ELS, please open a support case. The updated RPM will be supplied to you via case attachments. Red Hat is providing this security fix as an exception. To ensure you get future fixes they should contact their local sales team for ELS plan or initiate migration plan from RHEL 4 to a supported RHEL release.
Hello, my system has:
agarve11# cat /proc/version
Linux version 2.6.18-308.20.1.el5 (mockbuild@x86-023.build.eng.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-52)) #1 SMP Tue Nov 6 04:38:29 EST 2012
agarve11# rpm -qa bash
bash-3.2-32.el5_9.1
and is vulnerable:
agarve11# env x='() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
test
as I can download the patches to fix the problem?
thank you
Guru
6730 points
TMA Telefonica,
The reason you likely can't download the patches is that you do not have extended lifecycle support on your RHEL 4 license. As Jamie has mentioned above, open a Support Case with Red Hat (using your standard support) and they will provide you with a patch for RHEL 4 that fixes the vulnerability.
I have no trouble downloading files.
But I do not know which file down. Because for RHEL 4, the latest version of bash is bash-3.0-27.el4.x86_64.rpm, and I have the bash-3.2-32.el5_9.1 version.
agarve11# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.8 (Tikanga)
agarve11#
ok.
Updated:
bash.x86_64 0:3.2-33.el5_11.4
Complete!
agarve11#
agarve11#
agarve11# env x='() { :;}; echo vulnerable' bash -c "echo test"
test
thank you very much
Another query,
correctly install the patch on multiple servers, but one came the following error:
Is this ok [y/N]: y
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 37017186
Public key for bash-3.2-33.el5_11.4.x86_64.rpm is not installed
what should I do?
Hi, i have a server installed with RHEL4.4, one of the user had installed bash-3.0-27.0.2.x86_64.rpm but in site i could see this as to be installed to fix the issue bash-3.0-27.el4.4.x86_64.rpm.
If i try to upgrade it says already have latest version bash-3.0-27.0.2, do the package still vulnerable or not
I am getting like this, how to fix it
[root@ tmp]# ./test.sh
CVE-2014-6271 (original shellshock): not vulnerable
./test.sh: line 17: 3376 Segmentation fault shellshocker="() { x() { _;}; x() { _;} <<a; }" bash -c date 2>/dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): VULNERABLE
CVE-2014-7169 (taviso bug): not vulnerable
./test.sh: line 50: 3393 Segmentation fault bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
bash: line 129: syntax error near x129'for x129 in ; do :'
bash: line 129:
CVE-2014-7187 (nested loops off by one): VULNERABLE
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable