Linux - Patching Bash - Latest CVE-2014-6278

Just a nudge for people who may have patched for CVE-2014-6271 but missed the follow-up vulnerability CVE-2014-6278; you will have to patch again.  (This likely will include your CSA.  Look for a patch provided by LANDESK for the CSA - not the method below.)

Below is a patch definition to detect and update both CVE-2014-6271 and CVE-2014-6278.  I have tested this on CentOS 6 - but you should still test it on a test device in a test core environment before releasing to your production environment.

This patch does not require a reboot - but if your bash version is really far behind - it may install a previous patch that does require one.  This patch will install silently.

Logs for the patches may be found at:

/opt/landesk/vulscan-bashCVE-2014-6271-patchlog.ini

/opt/landesk/vulscan-bashCVE-2014-6271notvuln-patchlog.ini

/opt/landesk/vulscan-bashCVE-2014-6278-patchlog.ini

/opt/landesk/vulscan-bashCVE-2014-6278notvuln-patchlog.ini

Create a custom definition in LANDESK patch and compliance.

Set its OSs to redhat/centos

Set a query to limit the devices you wish to release the patch to

Set the custom detection script to:

#!/bin/bash
#set -x
reason="CVE-2014-6271 Detected"
reason2="CVE-2014-6278 Detected"
RV=0
RV2=0

# Additional info:
# http://threatpost.com/researcher-takes-wraps-off-two-undisclosed-shellshock-vulnerabilities-in-bash/108674

# CVE-2014-6271
env x='() { :;}; yum -y update bash > /opt/landesk/vulscan-bashCVE-2014-6271-patchlog.ini; RV=1' bash -c "echo Not Vulnerable > /opt/landesk/vulscan-bashCVE-2014-6271notvuln-patchlog.ini; RV=0"

# CVE-2014-6278
_x='() { yum -y update bash > /opt/landesk/vulscan-bashCVE-2014-6278-patchlog.ini; RV2=1; }' bash -c '_x 2>/dev/null || echo Not Vulnerable > /opt/landesk/vulscan-bashCVE-2014-6278notvuln-patchlog.ini; RV2=0'

if [ $RV -eq 1 ]; then
if [ $RV2 -eq 1 ]; then
  echo "${reason} ${reason2}" >&1
  echo "Yum Check-Bash Update Ran - CVE-2014-6271 and CVE-2014-6278" >&2
else
  echo "${reason}" >&1
  echo "Yum Check-Bash Update Ran - CVE-2014-6271" >&2
fi
else
if [ $RV2 -eq 1 ]; then
  echo "${reason2}" >&1
  echo "Yum Check-Bash Update Ran - CVE-2014-6278" >&2
  $RV=1
fi
fi
exit $RV