原创

Bash漏洞说明以及Centos5/6和RHEL5/RHEL6下解决方案

Redhat漏洞说明: A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. 大致意思就是:攻击者可以利用这个漏洞或绕过环境限制来执行shell命令,某些服务和应用程序允许未经身份验证的远程攻击者提供环境变量。 运行命令:  

$env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
如果返回以下内容:说明有bash漏洞,则请尽快升级。
 vulnerable                    
this is a test

Centos和Redhat升级软件包官网说明:
http://lists.centos.org/pipermail/centos/2014-September/146099.html

https://access.redhat.com/site/solutions/1207723
i386:
39f53e854969bb0bcbb280bf6581ec5857c086cdd727adc5eec9b7a9b7dcd0a6  bash-3.2-33.el5.1.i386.rpm
x86_64:
336202c14095622471275b4c4d55d49f16ee065d4f77dcef4ae5479cc67e11ad  bash-3.2-33.el5.1.x86_64.rpm
Source:
c8ccac8652d7b44531ab0a76c6eb9b0209dcd1dddf149fb182d0471206704217  bash-3.2-33.el5.1.src.rpm
Centos5.X

x86_64位系统
rpm -Uvh http://mirrors.aliyun.com/centos/5/updates/x86_64/RPMS/bash-3.2-33.el5.1.x86_64.rpm
rpm -Uvh http://mirrors.163.com/centos/5/updates/x86_64/RPMS/bash-3.2-33.el5.1.x86_64.rpm
i386_32位系统
rpm -Uvh http://mirrors.163.com/centos/5/updates/i386/RPMS/bash-3.2-33.el5.1.i386.rpm
rpm -Uvh http://mirrors.aliyun.com/centos/5/updates/i386/RPMS/bash-3.2-33.el5.1.i386.rpm
Centos6.X

x86_64位系统
rpm -Uvh http://mirrors.aliyun.com/centos/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.1.x86_64.rpm

rpm -Uvh http://mirrors.163.com/centos/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.1.x86_64.rpm

i386_32位系统
rpm -Uvh http://mirrors.aliyun.com/centos/6/updates/i386/Packages/bash-4.1.2-15.el6_5.1.i686.
rpm
rpm  -Uvh http://mirrors.163.com/centos/6/updates/i386/Packages/bash-4.1.2-15.el6_5.1.i686.rpm
升级后信息如下:
[root@i-bdojdcci ~]# rpm -qi bash
Name        : bash                         Relocations: (not relocatable)
Version     : 4.1.2                             Vendor: CentOS
Release     : 15.el6_5.1                    Build Date: Wed 24 Sep 2014 10:45:54 PM CST
Install Date: Fri 26 Sep 2014 09:20:01 AM CST      Build Host: c6b8.bsys.dev.centos.org
Group       : System Environment/Shells     Source RPM: bash-4.1.2-15.el6_5.1.src.rpm
Size        : 3139483                          License: GPLv3+
Signature   : RSA/SHA1, Wed 24 Sep 2014 10:49:58 PM CST, Key ID 0946fca2c105b9de
Packager    : CentOS BuildSystem <http://bugs.centos.org>
URL         : http://www.gnu.org/software/bash
Summary     : The GNU Bourne Again shell
Description :
The GNU Bourne Again shell (Bash) is a shell or command language
interpreter that is compatible with the Bourne shell (sh). Bash
incorporates useful features from the Korn shell (ksh) and the C shell
(csh). Most sh scripts can be run by bash without modification.

关注下方微信公众号“Java精选”(w_z90110),回复关键字领取资料:如HadoopDubboCAS源码等等,免费领取资料视频和项目。 

涵盖:程序人生、搞笑视频、算法与数据结构、黑客技术与网络安全、前端开发、Java、Python、Redis缓存、Spring源码、各大主流框架、Web开发、大数据技术、Storm、Hadoop、MapReduce、Spark、elasticsearch、单点登录统一认证、分布式框架、集群、安卓开发、iOS开发、C/C++、.NET、Linux、Mysql、Oracle、NoSQL非关系型数据库、运维等。

评论

分享:

支付宝

微信