2

Not another major bug...

Not another major bug…

EDITED 9/29/2014 – Added download links for Apple’s bash batches

So… another major *nix bug.  Yippee.

Just like Heartbleed, this is a bug that, if not addressed, can ultimately be used as a really easy attack vector for pretty much any *nix system (that’s Linux–including Ubuntu, Fedora, RedHat–and any BSD system… including OSX).

If you’d like some inflammatory articles on the new “Bash Bug”, feel free to check this, this, and this out.

 

Here’s the thing… I’m not here to fan the flames; I want to make sure people know how to patch this thing since there *IS* a patch available.  So let’s stop the rabble-rousing and get to the fixing, shall we?

**Do this periodically for the next week.  They rushed out this patch, so be safe and keep checking back for updates.**

Linux

RedHat/Fedora/CentOS

RedHat based systems use an update manager called “yum”.  If you’re using the GUI system (meaning you have a fancy-fancy mouse to move around the screen), then you can just use the Software Update Manager that is probably screaming at you from the top right corner of your screen.

Using “yum”

You *will* need to have sudo privileges to do this (you have to be an admin), so if you aren’t, find the admin of the computer and make them do this if they haven’t already.

Open up the Terminal application and type the following exactly:

sudo yum update bash -y

Hit ‘Enter’ or ‘Return’, enter your password (it won’t show you typing, so just be aware of that) and let it do its thing.  At the end you should end up with bash version 4.1.2-15 (current “safe” version).

Done.  Not too hard, right?  Right.

If you want to be safe, restart the machine.  If you’re running a server, you should probably make sure all existing shell connections are terminated.  Just a suggestion.

 

Debian/Ubuntu

Debian systems use a package manager called “apt-get” to do updates and installs.  Again, if you’re in the GUI there is probably a Package Manager screaming at you to update, so just go ahead and do that.

You *will* need to have sudo privileges to do this (you have to be an admin), so if you aren’t, find the admin of the computer and make them do this if they haven’t already.

Open up the Terminal application and type the following exactly:

apt-get --only-upgrade install bash

Again, enter your password when prompted (you won’t see the letters when you type), hit ‘Enter’ or ‘Return’ and let the magic happen.

 

Mac OSX

Apple released patches for OSX 10.7, 10.8, and 10.9.  You can grab them at their respective pages by clicking on the correct icon below:

OSX Lion

OSX Lion Bash Update 1.0

OSX Mountain Lion Bash Update 1.0

OSX Mountain Lion Bash Update 1.0

OSX Mavericks Bash Update 1.0

OSX Mavericks Bash Update 1.0

 

 

 

 

 

 

 

If you’re still interested in the manual way, see below, but as of this edit bash had not been updated to fix another outstanding vulnerability, so I’d use the Apple provided options if I were you. 🙂

This is a lot more difficult.  If you’re on a Mac, you probably haven’t ever even opened up Terminal unless some friend suggested the idea.  You most likely regretted it immediately as well.

Anyway, the “right way” to do this is to wait until Apple releases an update.  Anything else we do will be outside of the realm of Apple’s general guidelines.

If you choose to wait for the update, then I suggest Turning on the Firewall and Blocking all Incoming Connections (scroll down that page a bit for the instructions).  Additionally, turn off any sharing services in System Preferences > Sharing (uncheck the boxes).  There is a chance you need some of those though, so weigh the risks against the need.

For those who want to go whole hog and fix this thing instead of waiting for Apple and haven’t already done so because they’re uncomfortable with Terminal… hold onto your butts.

Also, Disclaimer: If done incorrectly, you could be in for a world of hurt.  Make sure you have a good backup, okay?

MacPorts

MacPorts is a package manager like “yum” or “apt-get” for OSX.  However, this was made by a third party, not Apple, so keep that in mind.

First, head to the App Store and install the Xcode Developer tools.  (Yes.  This is a requirement.)

Next, head over to MacPorts and download the appropriate MacPorts Installer.  If you have to restart, do so.

Open up Terminal and type in the following, then hit ‘Return’:
sudo port selfupdate

A bunch of stuff will scroll on the screen at this point… let it go.

Now type the following and hit ‘Return’:

sudo port install bash

If you get a prompt that Xcode Command Line tools aren’t installed, type the following:

xcode-select --install

This will pop up a Software Update window that will download and install the tools we need.  Close out of your Terminal window, then open another one (sorry, but this is actually necessary).  Search your computer for Xcode and open it up, then accept the license agreement… and that part is finally done.

If you do have to do this, run the “sudo port install bash” command again after the install completes.

Once that is done, then you’ll have a new bash installed!

… but not setup to be used by the system.  So this is where it gets really touchy and kind of scary for folks.  Again, if you want to wait for Apple, just *STOP* here.  Nothing we’ve done so far will cause any issues in the future.

So what did this just do?  It fixed your user account, but not the system.  To fix the system (the real problem), we need to edit system files…

Below this line, we’re altering system files, so be ready:


 

Replacing OS X Bash with the MacPorts Bash

The text below will be a line-by-line instruction list of what needs to be done to move stuff around.  It’s probably best if you just copy and past the command into an open Terminal window and hit Return.

WARNING: Again, we’re modifying core system components here, so proceed at your own risk.
sudo mv /bin/bash /bin/bash.old && sudo chmod a-x /bin/bash.old && sudo ln -s /opt/local/bin/bash /bin/bash

That is all one line; no line breaks.

At this point, restart your computer and wait for an update from Apple that will get rid of the changes we did here today.

If you have any questions, post them in the comments and I’ll do my best to assist.

2 comments

Leave a Reply