Debian squeeze-lts here. I'd like to stick to the repository packages when they've patched the vulnerabilities. How can I revert the changes made by shellshocker fix script?

Without a License it's unclear who can legally use the shellshocker code and how.

A friend of mine suggested apt-get update; apt-get install --only-upgrade bash instead of upgrade, because upgrade upgrades all installed packages, which is not what you really want to do...

Like the title says.

It's written for sh but uses bash/ksh [[ ]] syntax
Just put it into shellcheck.net, it'll do a better job explaining.

L49: for p in ls ../bash43-[0-9][0-9][0-9]; do patch -p0 < $p; done
Use: for p in ../bash43-[0-9][0-9][0-9]; do patch -p0 < "$p"; done

etc

Only some of the static public facing content is in this report and not actually the /shock file. So the website is still a "black box".

For your reference:

http://bugs.centos.org/view.php?id=4582
https://bugzilla.redhat.com/show_bug.cgi?id=482826

The latest Shellshocker patch triggers this bug. In short, "/etc/sysconfig/network-scripts/network-functions" does not work under bash 4.x - which is applied as part of the Shellshocker patch. The result is network interfaces come up/start, but fail to apply their gateway information.

Fixes:

1.) Manually define a gateway on a nominated interface via "route add" after restarting the system or restarting network services - example:

service network restart
route add default gw n.n.n.n eth0

2.) Go to line 78 in "/etc/sysconfig/network-scripts/network-functions" and change:

. $CONFIG

to:

. ./$CONFIG

(Note the spaces between the '.')

Note: On Redhat systems, the bug documentation cited above infers this change is required on line 80, not 78.

Hello!
This one liner sums it up:

 apt-get install make curl gcc patch; curl https://shellshocker.net/shellshock_test.sh | bash || curl https://shellshocker.net/fixbash | sh ; curl https://shellshocker.net/shellshock_test.sh | bash

Outputs, at the end:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2533  100  2533    0     0   5754      0 --:--:-- --:--:-- --:--:--  5932
CVE-2014-6271 (original shellshock): not vulnerable
bash : ligne 16 :  2683 Erreur de segmentation  bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Even if compilation is successful, sometimes it's on very similar hosts.
Any idea of a workaround/bugfix?

Would you please remove the suggestion to pipe the output of curl directly into bash? This is a very bad security practice. To prove this, please see my example here:

http://www.brockmann-consult.de/peter2/securitylesson/

It uses a simple RewriteCond and RewriteRule to give you a different script depending on your user agent. Even if your provider doesn't give you access to do this, a simple man-in-the-middle attack or someone that runs the provider can accomplish the same thing. And even if somehow your site was magically immune to this, you should not be encouraging anyone to use this method, but instead to be cautious.

Thanks

CVE-2014-6271 (original shellshock): -e not vulnerable
sh: 61: Syntax error: Missing '))'

After running curl https://shellshocker.net/shellshock_test.sh | bash I can see that I am vulnerable to CVE-2014-6271, CVE-2014-6278 and CVE-2014-7169.

I then used brew to install the latest version of bash and then ran the commands to tell the OS which version of bash to use:

sudo sh -c 'echo "/usr/local/bin/bash" >> /etc/shells'
chsh -s /usr/local/bin/bash
sudo mv /bin/bash /bin/bash-backup
sudo ln -s /usr/local/bin/bash /bin/bash

If I rerun the test I am still vulnerable. Even after a system reboot. Anyone else getting this?

env: Ubuntu 14.04 LTE

I tried the command
curl https://shellshocker.net/fixbash | sh

and finished the patch. But using a known test script it still showed CVE-2014-7186 was not fixed yet.

shanfu@shanfu-ubuntu:~/code$ ./shellshock_test.sh
Evaluating /bin/bash...
Running tests...
Tests completed. Determining results...
CVE-2014-6172: not vulnerable
CVE-2014-7169: not vulnerable
CVE-2014-7186: VULNERABLE
CVE-2014-7187: not vulnerable
This shell should be immune to shellshock attack via any other parser bugs
Overall status: VULNERABLE

I got shellshock_test.sh (from https://shellshocker.net/shellshock_test.sh) and ran it on a CentOS VM and it says everything is OK. However running manually the test command listed for Exploit 7 (CVE-2014-6277) at https://shellshocker.net/#fix I get a 'Segmentation fault'.

Is this version of bash vulnerable?
Please note that the text version of some of the content of the commands is not displayed properly (it seems to "eat" certain characters). See the attached screenshot.

$ bash -c "f() { x() { _;}; x() { _;} <<a; }" bash -c date 2>/dev/null || echo vulnerable
Segmentation fault (core dumped)
vulnerable

$ bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable
Segmentation fault (core dumped)
vulnerable

$ bash --version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

$ cat /etc/release
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)
cpe:/o:centos:linux:6:GA

$ sudo yum install bash -y
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile

• base: mirror.symnds.com
• epel: kdeforge2.unl.edu
• extras: mirror.symnds.com
• updates: mirrors.advancedhosters.com
  Setting up Install Process
  Package bash-4.1.2-15.el6_5.2.x86_64 already installed and latest version
  Nothing to do