October 28th, 2014

linux  |   rackspace  |   admin  |   arch

At first, test if your server is vulnerable to Shellshock and the related vulnerabilities by running an automated test tool, bashcheck , developed by Hanno Böck.

if you have an older Arch Linux (2010 version) set up in Rackspace, you can't just pacman -Syu . That would seriously break the server since new versions are differently configured. For example some software that once was installed to /bin/ would now go to /usr/bin. So if you are not ready to migrate all the sites/emails or whatever you have on that server to a new one, there is a way to manually compile the software and apply all the needed patches during the process.

Here are the required steps:

  1. Download the old bash version that matches the one you are using - do pacman -Qi bash  to find the version (for example "4.2.008-1")
  2. Go to svntogit on Arch Linux servers
  3. Open log
  4. Find the right version (for example "upgpkg: bash 4.2.008-1)"
  5. Make a new temporary folder on the server and download the arhive - for example: wget https://projects.archlinux.org/svntogit/packages.git/snapshot/packages-79b09cb04512912b640785a7834e2fd3ae3b2357.tar.gz
  6. untar the file - tar zxf
  7. cd to trunk folder: packages-79b09cb04512912b640785a7834e2fd3ae3b2357/trunk
  8. Edit the _patchlevel variable in PKGBULD so that it would include all the patches since 24.09.2014 when the vulnerabilities were found. The correct _patchlevel value should be 053 for Bash version 4.2
  9. Try to make the package makepkg using packman to download all the required patch files
  10. You will get an error about non-matching md5sums. Get new md5sums of all files by executing makepkg -g. Copy and paste the generated md5sums array to PKGBUILD, replacing the previous array.
  11. Run makepkg again
  12. Update the Bash package: sudo pacman -U bash-4.2.053-1-x86_64.pkg.tar.xz
  13. Restart the server to ensure that no older Bash instances are existing in the server's memory. Or if you do not want to reset the uptime, just find the instances and kill these from memory.

That's it! Your server should no longer be vulnerable to Shellshock. You can test this by running the automated test tool again.