I am currently running UDOO quad UDOObuntu 12.04 LTS in a productional environment. Will there be a patch for CVE-2014-6271, CVE-2014-7169 soon? I am trying to keep my system security officer happy.
Debian too. It's unfortunate that all the UDOO distributions seem to be poorly maintained for security updates. Several weeks after this vulnerability has come to light, I've patched about 60 servers now, including even some Raspberry Pi's (Raspbian got the fix quickly). Excluding a few ancient embedded boxes, the UDOO is the only vulnerable one left. Anything that might possibly run a shell script has been firewalled off, but still... I guess we might end up having to recompile bash from upstream source distribution and replace it outside the packaging system.
Which is what I did. And tested for all exploits (7 so far). I am still testing any quirks with the UDOO and hopefully I don't find any. This is what I did: Made a new sd card with the most current UDOObuntu 12.04 download. Created a file called bash-fix.sh and wrote the following code. (At this time of writing there were 30 patches) Code: mkdir src cd src wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz #download all patches for i in $(seq -f "%03g" 1 30); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done tar zxvf bash-4.3.tar.gz cd bash-4.3 #apply all patches for i in $(seq -f "%03g" 1 30);do patch -p0 < ../bash43-$i; done #build and install ./configure --prefix=/ && make && make install cd .. cd .. rm -r src Ran the command Code: chmod 777 bash-fix.sh Executed the shell Code: sudo ./bash-fix.sh It downloaded and compiled the patches I needed. To test the exploits I refered to http://shellshocker.net Hope this fixes the bash bug and hoping there are no further problems with bash. The above should work for debian but I didn't test. Also I hope this helps.
