Security advisory: Mac OS X and GNU/Linux users: update bash to protect against Shellshock exploit

Posted: 2014/09/27 in Security, Ubuntu
Tags: , , , , , , , , , ,

Dear Mac OS X and GNU/Linux users,

It is highly recommended to update the bash shell program to protect against the Shellshock vulnerability.

Update on October 8, 2014: working patch for vulnerability CVE-2014-6277 for Ubuntu 14.04 LTS users is now available via a PPA repository (ppa:ubuntu-security-proposed/ppa).

More info here:

I presume this will also affect home routers running a modified version of GNU/Linux, if the router has bash installed…

Stock Android users are unaffected (for the time being), because the stock version of Android uses mksh instead of bash according to this link:

Non-jailbroken iPhones/iPads and non-rooted Android devices are not vulnerable to Shellshock.

However, jailbroken Android devices running Cydia or Cyanogen may have a vulnerable version of bash installed!

Ubuntu 14.04 LTS users:

Here is the code to run in a Terminal to see if your installed version of bash is vulnerable or not:

wget ; bash


Example of Terminal output:

$ sudo add-apt-repository ppa:ubuntu-security-proposed/ppa

$ sudo apt-get update

$ sudo apt-get dist-upgrade

Fetched 1,531 kB in 10s (152 kB/s)

The following packages will be upgraded:
1 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 576 kB of archives. After unpacking 0 B will be used.
Do you want to continue? [Y/n/?]
Get: 1 trusty/main bash amd64 4.3-7ubuntu1.5 [576 kB]
Fetched 576 kB in 0s (980 kB/s)
(Reading database … 331726 files and directories currently installed.)
Preparing to unpack …/bash_4.3-7ubuntu1.5_amd64.deb …
Unpacking bash (4.3-7ubuntu1.5) over (4.3-7ubuntu1.4) …
Processing triggers for man-db ( …
Processing triggers for menu (2.1.46ubuntu1) …
Processing triggers for install-info (5.2.0.dfsg.1-2) …
Setting up bash (4.3-7ubuntu1.5) …
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode
Processing triggers for menu (2.1.46ubuntu1) …

Current status: 0 updates [-1].
$ wget ; bash
–2014-10-08 09:30:50–
Resolving (…,, 2400:cb00:2048:1::a29f:f3ab, …
Connecting to (||:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2533 (2.5K) [application/octet-stream]
Saving to: ‘’

100%[=================================================================================================================================================================>] 2,533 –.-K/s in 0s

2014-10-08 09:30:51 (177 MB/s) – ‘’ saved [2533/2533]

CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian’s patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on not vulnerable

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s