How to Protect Your Server Against the Shellshock Bash Vulnerability

PostedSeptember 25, 2014 389.1k views Security

Introduction

On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the “Bash Bug”, was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments. Because of Bash’s ubiquitous status amongst Linux, BSD, and Mac OS X distributions, many computers are vulnerable to Shellshock; all unpatched Bash versions between 1.14 through 4.3 (i.e. all releases until now) are at risk.

The Shellshock vulnerability can be exploited on systems that are running Services or applications that allow unauthorized remote users to assign Bash environment variables. Examples of exploitable systems include the following:

  • Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
  • Certain DHCP clients
  • OpenSSH servers that use the ForceCommand capability
  • Various network-exposed services that use Bash

A detailed description of the bug can be found at CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187.

Because the Shellshock vulnerability is very widespread–even more so than the OpenSSL Heartbleed bug–and particularly easy to exploit, it is highly recommended that affected systems are properly updated to fix or mitigate the vulnerability as soon as possible. We will show you how to test if your machines are vulnerable and, if they are, how to update Bash to remove the vulnerability.

Check System Vulnerability

On each of your systems that run Bash, you may check for Shellshock vulnerability by running the following command at the bash prompt:

env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

The highlighted echo Bash is vulnerable! portion of the command represents where a remote attacker could inject malicious code; arbitrary code following a function definition within an environment variable assignment. Therefore, if you see the following output, your version of Bash is vulnerable and should be updated:

Bash is vulnerable!
Bash Test

If your output does not include the simulated attacker’s payload, i.e. “Bash is vulnerable” is not printed as output, you are protected against at least the first vulnerability (CVE-2014-6271), but you may be vulnerable to the other CVEs that were discovered later. If there are any bash warnings or errors in the output, you should update Bash to its latest version; this process is described in the next section.

If the only thing that is output from the test command is the following, your Bash is safe from Shellshock:

Bash Test

Test Remote Sites

If you simply want to test if websites or specific CGI scripts are vulnerable, use this link: ‘ShellShock’ Bash Vulnerability CVE-2014-6271 Test Tool.

Simply enter the URL of the website or CGI script you want to test in the appropriate form and submit.

Fix Vulnerability: Update Bash

The easiest way to fix the vulnerability is to use your default package manager to update the version of Bash. The following subsections cover updating Bash on various Linux distributions, including Ubuntu, Debian, CentOS, Red Hat, and Fedora.

APT-GET: Ubuntu / Debian

For currently supported versions of Ubuntu or Debian, update Bash to the latest version available via apt-get:

sudo apt-get update && sudo apt-get install --only-upgrade bash

Now check your system vulnerability again by running the command in the previous section (Check System Vulnerability).

End of Life Ubuntu / Debian Releases

If you are running a release of Ubuntu / Debian that is considered end of life status, you will have to upgrade to a supported to use the package manager to update Bash. The following command can be used to upgrade to a new release (it is recommended that you back up your server and important data first, in case you run into any issues):

sudo do-release-upgrade

After the upgrade is complete, ensure that you update Bash.

YUM: CentOS / Red Hat / Fedora

Update Bash to the latest version available via yum:

sudo yum update bash

Now check your system vulnerability again by running the command in the previous section (Check System Vulnerability).

End of Life CentOS / Red Hat / Fedora Releases

If you are running a release of CentOS / Red Hat / Fedora that is considered end of life status, you will have to upgrade to a supported to use the package manager to update Bash. The following command can be used to upgrade to a new release (it is recommended that you back up your server and important data first, in case you run into any issues):

sudo yum update

After the upgrade is complete, ensure that you update Bash.

Conclusion

Be sure to update all of your affected servers to the latest version of Bash! Also, be sure to keep your servers up to date with the latest security updates!

99 Comments

  • Ubuntu now has the latest version of Bash sent out to their repositories. More info here:

    http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7169.html

    • It’s available in the main Ubuntu repositories and is being synced to mirrors now. Here’s the changelog entry:

      bash (4.3-7ubuntu1.2) trusty-security; urgency=medium
      
        * SECURITY UPDATE: incomplete fix for CVE-2014-6271
          - debian/patches/CVE-2014-7169.diff: fix logic in parse.y.
          - CVE-2014-7169
      
       -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 25 Sep 2014 02:06:49 -0400
      

      Note that there will probably be more fixes to follow.

    • And there’s already been an additional update for 14.04:

      USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the patch for CVE-2014-7169 didn’t get properly applied in the Ubuntu 14.04 LTS package. This update fixes the problem.

      See http://www.ubuntu.com/usn/usn-2363-2/

    • Please read: The shockingly obsolete code of bash (erratasec.com)

      Best switch to Zsh while your system is still uncompromised.

  • Thanks for this. Fixed it on my home computer and remote server. Awesome!

  • After update, is there any need to restart anything ??

    I am with CentOS 6.5 x32

  • Hey Guys,

    I just checked & updated the path on one of our production server.

    After doing a “yum update bash”, rechecked:

    env VAR=’() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash Test”

    It simply gave below output:

    Bash Test

    Is this still vulnerable or patches updated? Please suggest.

    Cheers,
    Vasu

  • Here’s Puppet code to patch it on CentOS:

    exec { 'patch_shellshock_security_hole':
      command => "/usr/bin/yes | /usr/bin/yum update bash; touch /root/shellshock_bug_has_been_patched",
      creates => '/root/shellshock_bug_has_been_patched',
    }
    

    I have just tested this code and it worked fine on CentOS 6.4.

    Ross

  • Same for Ubuntu 13.10?

    • No. For Ubuntu 13.10, you will need to do a full upgrade to Ubuntu 14.04. It’s important to note that only currently supported release will receive this update. This does not include 13.10 or 13.04. These have reached “end of life” and do not receive updates. It’s highly recommended that you run one of the Ubuntu “Long Term Support” releases like 14.04 or 12.04 on servers. These continue to receive security patches for 5 years while the interim releases are only supported for 9 months.

  • i have 4.5.1(1) on 2 Ubuntu Servers.
    Does that mean not vulnerable?
    Test says otherwise.
    You state 4.3 is the latest.

    • What’s the actual full version string of the Ubuntu package? Check the output of apt-cache policy bash

    • The easier answer is to run the test. If it says it’s vulnerable, then it’s time to update.

    • Sorry I had to deal with power outage caused by failed shunt switch circuitry.
      Also Ubuntu release is 10.10

      apt-cache policy bash
      bash:
      Installed: 4.1-2ubuntu4
      Candidate: 4.1-2ubuntu4
      Version table:
      *** 4.1-2ubuntu4 0
      500 http://us.archive.ubuntu.com/ubuntu/ maverick/main amd64 Packages
      100 /var/lib/dpkg/status/

  • I think, even if it’s not vulnerable, it’s a good idea to update bash to lastest version

  • I have Ubuntu 12.10 that is not more supported… what the best way to upgrade?

  • I hadn’t touched my droplet in quite a while - turns out I’m on 12.04 which has been EOL'ed and can’t seem to be updated. Any suggestions on how to handle this?

  • The CentOS yum repository has the fix. I just installed it on my CentOS 6.5 droplets.

  • Not so fast! Give it a try, still vulnerable!

    env -i X=' () { }; echo hello' bash -c 'date'
    

    https://shellshocker.net/

  • Thank you Digital Ocean, I am very happy with your hosting company :)

  • if you have some old / EOL release, this code may help you.

    it requires you to have a compiler, patch & make, as such you may need to install these packages

    for Ubuntu you can do
    “`apt-get install gcc make patch

    
    for CentOS/variants 
    ```yum install gcc
    

    (you may uninstall them afterwards if you no longer need)

    after that, you can install bash from scratch, follow these commands (taken from the internet somewhere)

    can first "cd /tmp” or start in any directory of your choice; must be executed as root
    [updated 2014-09-27 0900 EST [GMT-0500] now 26 patches instead of 25]
    [updated 2014-09-28 0900 EST [GMT-0500] now 27]
    [updated 2014-10-01 1400 EST [GMT-0500] now 28]
    [updated 2014-10-02 2300 EST [GMT-0500] now 29]

    mkdir src
    cd src
    wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
    #download all patches
    for i in $(seq -f "%03g" 0 30); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
    tar zxvf bash-4.3.tar.gz 
    cd bash-4.3
    #apply all patches
    for i in $(seq -f "%03g" 0 30);do patch -p0 < ../bash43-$i; done
    #build and install
    ./configure && make && make install
    cd .. 
    cd ..
    rm -r src
    

    after this you should have the newest bash installed on your system

    run the test again to check yourself

    env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
    

    you should be good to go now!

    • Hope this works, last time I tried to do an upgrade on the droplet I use for testing it blew up my wordpress site and I just rolled it back (props for snapshot). Unfortunately I have not had the time to work on those issues more and am still running 13.10. I assume after I get bash installed I can remove gcc, make and patch if they are not needed anymore?

    • You Sir, are a F$%king legend. You have just made me one very happy server admin :-) Kudos

    • change the loop values from 25 to 26 to include the latest patch (26-Sep-2014 17:02)

    • @gd Thank you!!

    • The patches have been updated again - please change the loop from 26 to 27.

  • To update from an older version of ubuntu (e.g. saucy), run this first:

    sudo sed -i 's/saucy/trusty/g' /etc/apt/sources.list
    

    That will update your sources to the newer ones. It might cause some incompatibility eventually, but it let me fix this problem for now.

    • I’d recommend using the do-release-upgrade script that comes with Ubuntu if you plan on upgrading the entire release.

  • I did the update and now can no longer SSH into my droplet. Anyone have any thoughts?

    • Sounds like something else was changed. Try accessing the console of your droplet via the control panel.

    • Had the same problem with ARCH linux.

      The reason was removed “/bin/bash” link. (not sure what else is removed…).

      There used to be “/bin/bash” and “/bin/sh” links pointing to “/usr/bin/bash”, but after running “pacman -S bash” those links got removed. I used recovery procedure to get them back, now I can login again.

    • I’m not able to access the condole via the control panel nor the server via SSH. When I try to log in to the control panel, it appears to first accept my credentials and then reset back to the login screen.

      Any thoughts?

    • @andyrusch could you open a support ticket and provide them with any pertinent details.

    • Thanks @manicas - I did that but the solution provided requires quite a bit of downtime on a live server.

      @digitalocean593 - Can you let me know exactly what you did to get these files back? I’d really really appreciate it!

    • Which linux are you running? Distribution/kernel version?

    • @digitalocean593 - I’m Ubuntu 14.04 x64 vmlinuz-3.13.0-24-generic

    • Well, it’s different to what I have, so no guarantees then.

      Here is what I did:

      1. Power off your droplet
      2. In the control panel, click on your droplet and select “Settings” / “Recovery”
      3. Start recovery
      4. Open console
      5. mount root file system (“mkdir /ssd && mount /dev/vda /ssd” in my case)
      6. Restore symbolic links (“ln -s /usr/bin/bash /ssd/bin/bash; ln -s /usr/bin/bash /ssd/bin/sh; umount /ssd”)
      7. In the control panel, select your original kernel (from your post above)
      8. Reboot the droplet.

      If you know what you are doing, the whole procedure should take about 2 minutes.

      Good luck!

    • Thanks @digitalocean593!! I really appreciate it!

  • For people using ServerPilot to manage servers running PHP and WordPress sites, your servers are already patched. More info here:

    https://www.serverpilot.io/blog/2014/09/25/bash-shellshock-security-updates.html

  • Ubuntu here… 4 droplets. Worked for versions 12.04 and 14.04 but not working in version 13.10

    after running the apt-get command

    ....
    bash is already the newest version.
    0 upgraded, 0 newly installed, 0 to remove and 84 not upgraded.

    but vulnerability still there based in the test for version 13.10 as i said.

    • As mentioned in earlier comments by @asb:

      For Ubuntu 13.10, you will need to do a full upgrade to Ubuntu 14.04. It’s important to note that only currently supported release will receive this update. This does not include 13.10 or 13.04. These have reached “end of life” and do not receive updates. It’s highly recommended that you run one of the Ubuntu “Long Term Support” releases like 14.04 or 12.04 on servers. These continue to receive security patches for 5 years while the interim releases are only supported for 9 months.

    • I had 2 droplets width version 13.10. I have upgraded both to 14.04 as you said. Both fixed, thanks.

  • Thanks for making it easy. Just two commands, one to see that I need a fix and one to fix it. All done!
    I’m no linux guru, I just want to run a wordpress server!

  • I have some droplets with:

    Distributor ID: Ubuntu
    Description: Ubuntu 12.10
    Release: 12.10
    Codename: quantal

    And they don’t update. What i need to do so?

    i mean, threre wont be a patch for this (others) version?

    • Iam not linux/admin guru, just a developer (your ad’s works) but, why do you offer ubuntu images (12.10) in droplets that wont be supported for updates like this.

      Seriously?

    • @Mauricio We do not offer Ubuntu 12.10, nor have we since it reached “end of life.” We currently offer Ubuntu 10.04, 12.04, and 14.04 which are all “Long Term Support” releases. When Ubuntu 14.10 is released next month, we will provide images for that as well even though it is not an LTS. Many users wish to have the latest packages available. LTS releases provide security fixes, but not new major versions in order to remain stable. These releases are now (starting with 13.10) supported for 9 months at a time. 12.10 was supported for 18 months. The LTS releases are supported for 5 years. In order to upgrade to a more current release, you can run do-release-upgrade

    • @petethechop Hi Pete! I’m not sure what you are proposing. The list of available operating systems when creating a new droplet is quite clear (http://i.imgur.com/Gvd46ss.png). We still provide kernels for older Ubuntu releases, as many customers launched droplets with those releases when they were supported. If we were to pull the kernels out from under them, it would make the droplets unusable.

    • @asb that select list will allow me to change my kernel to Ubuntu 12.10 from my current version, so I consider it an overstatement to say with emphasis that you do not offer that version. ‘sall I’m sayin’

  • For older versions of Ubuntu you can follow the steps here:

    http://cloudgames.com/blog/fix-bash-exploit-old-new-releases-ubuntu-apt-get/

    You can update the respository to get the latest bash version and then can always set the repository back to the original after updating bash.

  • Here is what I did for my Ubuntu droplet…

    apt-get update && apt-get -y upgrade
    apt-get install -y bash

    seems to have worked

  • I do an apt-get update and even an apt-get upgrade on my Debian(6) squeeze and it says all packages are up to date so sudo apt-get update && sudo apt-get install –only-upgrade bash does not do anything. Bash is latest version and still not fixed, any other way i can update it?

  • Great article, well written and easy to follow. Thanks!

  • Thanks this really useful, i have fixed my bash!!!!

  • If the test on http://shellshock.brandonpotter.com/ is showing no vulnerabilities, but the bash test command does show vulnerabilities, do you think we are safe to wait until the full fix is released?

    Thank you,

  • Hello -

    Is it really fixed? :

    Still more vulnerabilities in bash? Shellshock becomes whack-a-mole
    http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/

    From the above article I think it is not fixed.

    cfg83

  • Hello -

    On my 14.x Ubuntu droplet I am patched up to bash 4.3.11(1)-release

    I went here :

    https://twitter.com/taviso/status/514887394294652929
    

    And tried this test :

    env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("
    

    And got this output :

    bash: X: line 1: syntax error near unexpected token `='
    bash: X: line 1: `'
    bash: error importing function definition for `X'
    echo vuln
    still vulnerable :(
    

    Question: Is the above test legitimate?

    cfg83

  • Thanks a lot, just fixed it on my holaunblocker.com droplet.

  • Thanks. It worked out perfectly on Ubuntu 14.04 and 12.04.

    Does anybody know how to upgrade bash on Debian lenny?

  • You must use the squeeze-lts repository in order to continue receiving updates to Debian 6 Squeeze

    To add this repository, edit /etc/apt/sources.list and add the line

    deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib
    

    To update only bash, after running apt-get update use apt-get install --only-upgrade bash

    • @xandr0s Thanks a lot! That worked well.

      In addition I just had to run apt-get install debian-archive-keyring prior to apt-get update, in order not to get the NO_PUBKEY error.

  • You all should have been using Zsh instead of Bash in the first place.

  • We all ought to be using Zsh instead of Bash in the first place.

  • If you’re using gd’s solution below to build from scratch, change the two loop values from 25 to 26:

    for i in $(seq -f “%03g” 0 26); do …

    because there is one more patch available, dealing with the latest vulnerability.

  • Thanks a lot, but is there any opportunity to update my OS X Server?

    BTW, here is good HOWTO to protect web applications agains ShellShock, not only servers.

  • Debian 7 works great!

    env VAR=’() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash Test” Bash is vulnerable! Bash Test
    So…
    env VAR=’() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash Test” Bash Test

    Fucking thank you!!!

  • Great article. Thanks for simplifying it.

  • Just wanted to say thank you. I am very happy to see that the documentation is growing!

    Keep up the excellent work and thank you for your detailed article!

    Worked flawlessly on our gitlab

  • My debian server now passes the above “Check System Vulnerability” test. But I read elsewhere of the test below, which fails:
    env var=’() {(a)=>' bash -c “echo date”; cat echo

    Apparently a patched system should not print the date, but my system does. Is this something that requires action in addition to the instructions above?

  • Excellent article. Now that we know that there is a fix for Shell Shock, I just want to share with everyone that if you want to check if your Mac or Linux is vulnerable to Shell Shock. You can find out more about checking Shell Shock vulnerability from this page:

    http://devicegarage.weebly.com/diy-repair-blog/shell-shock-check

  • Centos 6.5 without updating getting only Bash Test, do i have to update the bash?

  • as a suggestion, people with old ubuntu releases should consider getting their boxes updated to a recent release.

    You can use “do-release-upgrade” to do so. If it is not available, run “sudo apt-get install update-manager-core” after fixing your “etc/apt/sources.list”

  • Note that if you see the following IP’s in your logs it’s just scanning:

    209.126.230.72 (Erratesec)
    166.78.61.142 (Nixon Security)
    54.217.253.19 (Detectify)
    (from the TIB at http://pwc.blogs.com/cyber_security_updates/2014/09/how-can-you-deal-with-shellshock.html )

  • I can’t see how this BASH bug allows a completely unauthorised user to compromise a system without access to at least an unprivileged account on the target machine.

    Don’t get me wrong, all my systems are patched, even the ones hidden well behind firewalls - I’m not that silly/adventurous.

    Just simply being that unless the attacker can gain more access to my system(s) than I care for I can’t see their opportunity to access bash enough to attempt to exploit the bug.

    Please tell me how anyone who doesn’t have access to at least an unprivileged account on the target system can possibly exploit the bug - maybe it would not be wise to go into detail really, perhaps just a firm statement that it is possible will suffice me.

    If it is possible for somebody with no (access to any) account on the target system to use this vulnerability then there must be some other window/door/entry-point that needs closing too imho.

  • Well, Why you didn’t cover or at least mention the other shell bugs that are more serious than this one?
    Please go to ShellShocker and you will get the latest update about shellshock.

    Here are the current exploits (source:ShellShocker ):

    Exploit 1 (CVE-2014-6271)

    There are a few different ways to test if your system is vulnerable to shellshock. Try running the following command in a shell.

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    

    If you see “vulnerable” you need to update bash. Otherwise, you should be good to go.

    Exploit 2 (CVE-2014-7169)

    Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.

    env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo ; rm -f echo
    

    If the above command outputs the current date (it may also show errors), you are still vulnerable.

    Exploit 3 (???)

    Here is another variation of the exploit. Please leave a comment below if you know the CVE of this exploit.

    env -i X=' () { }; echo hello' bash -c 'date'
    

    If the above command outputs “hello”, you are vulnerable.

    Exploit 4 (CVE-2014-7186)

    bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||
    echo "CVE-2014-7186 vulnerable, redir_stack"
    

    Exploit 5 (CVE-2014-7187)

    (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
    echo "CVE-2014-7187 vulnerable, word_lineno"
    
  • Already updated :) Thx

  • Great post. you can also assess, prepare, defend and react to the shellshock epidemic by referring this Toolkit

  • Tried to upgrade an Ubutnu 12.10 Quantal installation using this guide and it looks like the DigitalOcean mirrors are preventing the apt-get package list from downloading, so there’s no upgrade available for bash. What can I do to resolve?

    # Observe bash is vulnerable:
    colin@menagerie1:~$ env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
    Bash is vulnerable!
    bash: FUNCTION(): line 0: syntax error near unexpected token `)'
    bash: FUNCTION(): line 0: `FUNCTION() () { :;}; echo Bash is vulnerable!'
    bash: error importing function definition for `FUNCTION'
    Bash Test
    
    
    # Check version:
    colin@menagerie1:~$ bash --version
    GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
    Copyright (C) 2011 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    
    This is free software; you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    
    # Attempt upgrade:
    colin@menagerie1:~$ sudo apt-get update && sudo apt-get install --only-upgrade bash
    [sudo] password for colin: 
    Ign http://security.ubuntu.com quantal-security Release.gpg
    Ign http://mirrors.digitalocean.com quantal Release.gpg                
    Ign http://mirrors.digitalocean.com quantal-updates Release.gpg        
    Ign http://security.ubuntu.com quantal-security Release
    Ign http://security.ubuntu.com quantal-security/main amd64 Packages/DiffIndex
    Ign http://mirrors.digitalocean.com quantal Release
    Ign http://mirrors.digitalocean.com quantal-updates Release
    Ign http://mirrors.digitalocean.com quantal/main amd64 Packages/DiffIndex
    Ign http://mirrors.digitalocean.com quantal/universe amd64 Packages/DiffIndex
    Ign http://mirrors.digitalocean.com quantal-updates/main amd64 Packages/DiffIndex
    Ign http://mirrors.digitalocean.com quantal-updates/universe amd64 Packages/DiffIndex
    Ign http://security.ubuntu.com quantal-security/main Translation-en_US
    Ign http://security.ubuntu.com quantal-security/main Translation-en
    Err http://security.ubuntu.com quantal-security/main amd64 Packages
      404  Not Found [IP: 91.189.88.149 80]
    Ign http://mirrors.digitalocean.com quantal/main Translation-en_US
    Ign http://mirrors.digitalocean.com quantal/main Translation-en
    Ign http://mirrors.digitalocean.com quantal/universe Translation-en_US
    Ign http://mirrors.digitalocean.com quantal/universe Translation-en
    Ign http://mirrors.digitalocean.com quantal-updates/main Translation-en_US
    Ign http://mirrors.digitalocean.com quantal-updates/main Translation-en
    Ign http://mirrors.digitalocean.com quantal-updates/universe Translation-en_US
    Ign http://mirrors.digitalocean.com quantal-updates/universe Translation-en
    Err http://mirrors.digitalocean.com quantal/main amd64 Packages
      404  Not Found
    Err http://mirrors.digitalocean.com quantal/universe amd64 Packages
      404  Not Found
    Err http://mirrors.digitalocean.com quantal-updates/main amd64 Packages
      404  Not Found
    Err http://mirrors.digitalocean.com quantal-updates/universe amd64 Packages
      404  Not Found
    W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/quantal-security/main/binary-amd64/Packages  404  Not Found [IP: 91.189.88.149 80]
    
    W: Failed to fetch http://mirrors.digitalocean.com/ubuntu/dists/quantal/main/binary-amd64/Packages  404  Not Found
    
    W: Failed to fetch http://mirrors.digitalocean.com/ubuntu/dists/quantal/universe/binary-amd64/Packages  404  Not Found
    
    W: Failed to fetch http://mirrors.digitalocean.com/ubuntu/dists/quantal-updates/main/binary-amd64/Packages  404  Not Found
    
    W: Failed to fetch http://mirrors.digitalocean.com/ubuntu/dists/quantal-updates/universe/binary-amd64/Packages  404  Not Found
    
    E: Some index files failed to download. They have been ignored, or old ones used instead.
    
    

    As you can see, the apt-get update fails, so there’s no updated package list and thus the upgrade of bash doesn’t take place.

    Any help?

    • Ubuntu 12.10 (quantal) is no longer a supported release. Ubuntu has pulled the package archive for that release. We offer a backup of that repository at http://mirrors.digitalocean.com/ubuntu-old but the fix for this bug will not be available there. You are strongly encouraged to upgrade to a newer Ubuntu release using the do-release-upgrade command.

    • Thanks, @asb I was coming to that conclusion in my searches.

  • Thanks a lot! My droplet was vulnerable, but no more thanks to your tutorial.

  • how to verified account

  • Thanks for the tutorial, I’m not a regular sysadmin and only fine tune DO droplets when the need arises and then its usually a steep learning curve.
    I did a backup - the node is 198.199.94.20
    Way back I launched a defined DO package for wordpress - my console settings Kernel says
    “Original Kernel (Ubuntu 12.10 x64 Server vmlinuz-3.5.0.17-generic(25))“
    I’ve tried to swap the kernel out for one of the options
    "Ubuntu 13.10 x64 vmlinuz-3.11.0-26-generic” to then do an upgrade
    but after rebooting it is still at 12.10?
    I’m wondering why this failed?

    I’ve tried using the “do-release-upgrade” - but it comes back with

    <^>Your Ubuntu release is not supported anymore.
    Err Upgrade tool signature
    404 Not Found [IP: 91.189.91.14 80]
    Err Upgrade tool
    404 Not Found [IP: 91.189.91.14 80]
    Fetched 0 B in 0s (0 B/s)
    WARNING:root:file ‘raring.tar.gz.gpg’ missing
    Failed to fetch
    Fetching the upgrade failed. There may be a network problem.<^>

    I’ve tried https://www.digitalocean.com/community/questions/update-on-ubuntu-12-10-server-failing-not-found
    but it aborted and restored back to 12.10

    I hear “@manicas” advice that its not recommended to let a server be at 12.10 - but I do have a DO supplied configuration that is at 12.10, and I wonder is there a tutorial for dummies to say how to upgrade it.
    I have spent a couple of hours trying to stitch together an upgrade.
    Many thanks.

  • after i installed the bash update, my php shell_exec command to run pdftk does not work anymre - any ideas what to do?

    thanks

  • I’ve found such tool for vulneratility test: http://www.host-tracker.com/Blog/Shellshock

  • FYI - I’ve a droplet from a DO supplied application “WordPress on Ubuntu12.10” .
    The Control Panel Kernel screen says “Orginal Kernel (Ubuntu 12.10 x64 vmlinuz-3.5.0-17-generic(25))”
    uname –ri lists - 3.5.0-17-generic x86_64 (only one option)

    I tried the suggestion in this article, and they didn’t work. I tried a whole bunch of other suggestions that other people have put out there using mirrors supplied by DO - and they didn’t work
    I tried a Kernel Upgrade - and it turns out that for my DO supplied Ubuntu12.10 distribution it is some strange version (created as a DO application) and it isn’t supported in the Kernel Upgrade - despite there being a lot of options visually available in the Control Panel - Kernel Upgrade.
    I’ve opened a ticket on the upgrade question, and I’m not getting any reasonable suggestions - it seems DO support is talking Apple Pie -
    “you need to upgrade” but no reasonable working ways to do it,
    “Changing the kernel in the control panel does not upgrade the kernel on the droplet.” - with no workable method for what can work.

    I’m getting DO advice that aren’t working solutions.

  • All people running Linux systems whether on local machines or servers were put in panic when a security flaw was discoverd in Bash, the Bash Remote Exploit was nick named as Shellshock.

    The vulnerability was exposed in HTTP/CHI scripts and in OpenSSH. It effected nearly all versions of Linux, thankfully there was an update available to secure yourself.

    Cloudways was among the first to fix the entire infrastructure and provide extra security to its clients - Here: Bash Remote Exploits

  • I will have to tell the admin to be careful and follow what the monitoring tool Anturis says and alerts. By the way, are ny monitoring tool at help here?

  • Thanks Mitchel

Creative Commons License