轉自阿里云：http://bbs.aliyun.com/read/176975.html?spm=5176.7189909.0.0.f9BXki

Bash緊急漏洞，請所有正在使用linux服務器的用戶注意。該漏洞直接影響基于 Unix 的系統（如?Linux、OS X 等），可導致遠程***者在受影響的系統上執行任意代碼。?
?
【已確認被成功利用的軟件及系統】?
?
所有安裝gun bash 版本小于或者等于4.3的linux操作系統。?
?
【漏洞描述】?
?
該漏洞源于你調用的bash shell之前創建的特殊的環境變量，這些變量可以包含代碼，同時會被bash執行。?
?
?
【已確認被成功利用的軟件及系統】??
所有安裝GNU?bash?版本小于或者等于4.3的Linux操作系統。??
?
?
【漏洞描述】??
該漏洞源于你調用的bash shell之前創建的特殊的環境變量，這些變量可以包含代碼，同時會被bash執行。??
?
?
【漏洞檢測方法】???
漏洞檢測命令：env x='() { :;}; echo vulnerable' bash -c "echo this is a test"?????
?
?
修復前??
輸出:?????
vulnerable????
this is a test?????
?
?
使用修補方案修復后??
bash: warning: x: ignoring function definition attempt??
bash: error importing function definition for `x'??
this is a test??
特別提示：該修復不會有任何影響，如果您的腳本使用以上方式定義環境變量，修復后您的腳本執行會報錯。??
?
?
【建議修補方案 】???
?
請您根據Linux版本選擇您需要修復的命令， 為了防止意外情況發生，建議您執行命令前先對Linux服務器系統盤打個快照，如果萬一出現升級影響您服務器使用情況，可以通過回滾系統盤快照解決。???
?
centos:??
yum -y update bash??
?
ubuntu:??
14.04 64bit??
wget?http://mirrors.aliyun.com/fix_stuff/bash_4.3-7ubuntu1.1_amd64.deb?&& dpkg -i bash_4.3-7ubuntu1.1_amd64.deb??
?
14.04 32bit??
wget?http://mirrors.aliyun.com/fix_stuff/bash_4.3-7ubuntu1.1_i386.deb?&& dpkg -i??bash_4.3-7ubuntu1.1_i386.deb??
?
?
12.04 64bit??
wget?http://mirrors.aliyun.com/fix_stuff/bash_4.2-2ubuntu2.2_amd64.deb?&& dpkg -i??bash_4.2-2ubuntu2.2_amd64.deb??
?
12.04 32bit??
wget?http://mirrors.aliyun.com/fix_stuff/bash_4.2-2ubuntu2.2_i386.deb?&& dpkg -i??bash_4.2-2ubuntu2.2_i386.deb??
?
10.10 64bit??
wget?http://mirrors.aliyun.com/fix_stuff/bash_4.1-2ubuntu3.1_amd64.deb?&& dpkg -i bash_4.1-2ubuntu3.1_amd64.deb??
?
10.10 32bit??
wget?http://mirrors.aliyun.com/fix_stuff/bash_4.1-2ubuntu3.1_i386.deb?&& dpkg -i bash_4.1-2ubuntu3.1_i386.deb??
?
?
debian:??
7.5 64bit && 32bit??
apt-get -y install --only-upgrade bash??
?
6.0.x 64bit??
wget?http://mirrors.aliyun.com/debian/pool/main/b/bash/bash_4.1-3%2bdeb6u1_amd64.deb?&&??dpkg -i bash_4.1-3+deb6u1_amd64.deb??
?
6.0.x 32bit??
wget?http://mirrors.aliyun.com/debian/pool/main/b/bash/bash_4.1-3%2bdeb6u1_i386.deb?&&??dpkg -i bash_4.1-3+deb6u1_i386.deb??
?
opensuse:??
13.1 64bit??
wget?http://mirrors.aliyun.com/fix_stuff/bash-4.2-68.4.1.x86_64.rpm?&& rpm -Uvh bash-4.2-68.4.1.x86_64.rpm??
?
?
13.1 32bit??
wget?http://mirrors.aliyun.com/fix_stuff/bash-4.2-68.4.1.i586.rpm?&& rpm -Uvh bash-4.2-68.4.1.i586.rpm??
?
aliyun linux:??
5.x 64bit??
wget?http://mirrors.aliyun.com/centos/5/updates/x86_64/RPMS/bash-3.2-33.el5.1.x86_64.rpm?&& rpm -Uvh bash-3.2-33.el5.1.x86_64.rpm??
?
5.x 32bit??
wget?http://mirrors.aliyun.com/centos/5/updates/i386/RPMS/bash-3.2-33.el5.1.i386.rpm?&& rpm -Uvh bash-3.2-33.el5.1.i386.rpm??

附上修補漏洞的yml文件，適用于Ansible

轉自：https://raymii.org/s/articles/Patch_CVE-2014-6271_Shellshock_with_Ansible.html

Main role:

#?cat?playbooks/update.yml----?hosts:?allroles:-?{?role:?apt-update,?when:?"ansible_os_family?==?'Debian'"?}-?{?role:?yum-update,?when:?"ansible_os_family?==?'RedHat'"?}

Debian/Ubuntu Playbook

?#?cat?playbooks/roles/apt-update/tasks/main.yml-?copy:?src=debian-6-lts.list?dest=/etc/apt/sources.list.d/debian-6-lts.listwhen:?ansible_distribution_major_version?==?"6"#??Uncomment?the?following?to?test?for?the?vuln.##?-?shell:?"export?evil='()?{?:;};?echo?vulnerable';?bash?-c?echo;"#??register:?result?#?-?fail:#?????msg="Not?vulnerable"#???when:?result.stdout?!=?'vulnerable'-?apt:?name=bash?state=latest?update_cache=yes

Debian 6 LTS repo file:

?#?cat?playbooks/roles/apt-update/files/debian-6-lts.list?#?Added?by?Ansible?to?fix?CVE-2014-6271?(ShellShock)#?See?http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/deb?http://http.debian.net/debian/?squeeze?main?contrib?non-freedeb-src?http://http.debian.net/debian/?squeeze?main?contrib?non-freedeb?http://security.debian.org/?squeeze/updates?main?contrib?non-freedeb-src?http://security.debian.org/?squeeze/updates?main?contrib?non-freedeb?http://http.debian.net/debian?squeeze-lts?main?contrib?non-freedeb-src?http://http.debian.net/debian?squeeze-lts?main?contrib?non-free

Yum Role:

?#?cat?playbooks/roles/yum-update/tasks/main.yml#??Uncomment?the?following?to?test?for?the?vuln.#?#?-?shell:?"export?evil='()?{?:;};?echo?vulnerable';?bash?-c?echo;"#???register:?result#?-?fail:#?????msg="Not?vulnerable"#???when:?result.stdout?!=?'vulnerable'-?command:?/usr/bin/yum?clean?all-?yum:?name=bash?state=latest

轉載于:https://blog.51cto.com/ittony/1570450

總結

以上是生活随笔為你收集整理的bash漏洞修补, CVE-2014-6271的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。