Archive for September, 2014

Bash Code Injection Vulnerability aka ShellShock

Sunday, September 28th, 2014

A recently discovered vulnerability in bash left many servers open to exploit.

There are many resources on the subject.

I ran into a problem where the vendors were not releasing updates for bash on RHEL4 / CentOS 4 boxes, with good reason, since RHEL 4 has been EOL from March 2012.

Unfortunately the fact that an OS is EOL does not solve the problems that arise in cases like these.

Many people have valid reasons for running outdated and unsupported OSes.

In any event, I needed a fix for the problem.

Attached you will find my source RPM for RHEL4 / CentOS4 systems that you can use to compile a patched version of bash.

I’ve included the patches for both CVE-2014-6271 and CVE-2014-7169.

For more details please see: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)

Download Patched Source RPM: bash-3.0-27.3.src.rpm