サブスクリプション登録されていないRHELのbash対策をCentOS repoを使用して行ってみました
設定そのものは下記の記事を参考にして下さい
RHELでCentOS repoを使用してyumの実行
https://www.rootlinks.net/2014/08/16/rhelでcentos-repoを使用してyumの実行/
脆弱性確認
1 2 3 |
[root@host1 ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test |
アップデート
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
[root@host1 ~]# yum --enablerepo=base update bash Loaded plugins: product-id, refresh-packagekit, subscription-manager Updating Red Hat repositories. Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package bash.x86_64 0:4.1.2-8.el6 will be updated ---> Package bash.x86_64 0:4.1.2-15.el6_5.2 will be an update --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Updating: bash x86_64 4.1.2-15.el6_5.2 updates 905 k Transaction Summary ================================================================================ Upgrade 1 Package(s) Total download size: 905 k Is this ok [y/N]: y Downloading Packages: bash-4.1.2-15.el6_5.2.x86_64.rpm | 905 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : bash-4.1.2-15.el6_5.2.x86_64 1/2 Cleanup : bash-4.1.2-8.el6.x86_64 2/2 duration: 135(ms) Installed products updated. Updated: bash.x86_64 0:4.1.2-15.el6_5.2 Complete! |
bashの更新履歴
1 2 3 4 5 6 7 8 9 |
[root@host1 ~]# rpm -q --changelog bash * 木 9月 25 2014 Ondrej Oprala <ooprala@redhat.com> - 4.1.2-15.2 - CVE-2014-7169 Resolves: #1146322 * 月 9月 15 2014 Ondrej Oprala <ooprala@redhat.com - 4.1.2-15.1 - Check for fishy environment Resolves: #1141645 (snip) |
脆弱性確認
1 2 |
[root@host1 ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" this is a test |
取り敢えずいまのところ問題は無さそうです
なお、SRPMパッケージを使用してリビルドする方法はこちらの記事を参照して下さい
RHELのbashをアップデート(rpmbuild)
https://www.rootlinks.net/2014/09/30/rhelのbashをアップデートrpmbuild/