This article is written for people who don`t want to update to Nexenta 4 but still need to fix the Shellshock bug. The procedure is quite simple and I will describe bellow exactly what you need to do.
Connect to you nexenta server with root and type !bash, after that press Y.
nmc@nexenta:/$ option expert_mode=1
nmc@nexenta:/$ !bash
You are about to enter the Unix (“raw”) shell and execute low-level Unix command(s). Warning: using low-level Unix commands is not recommended! Execute? (y/n)
cd ~
# Modify apt sources
vi /etc/apt/sources.list
deb http://apt.nexentastor.org/3.1 hardy-testing main contrib non-free
deb-src http://apt.nexentastor.org/3.1 hardy-testing main contrib non-free
# Install gcc and bison in order to be able to compile bash
apt-get update
apt-get install gcc
apt-get install bison
# Download bash version 3.2, this is used on nexenta 3.1.5. ash-3.2.48.tar.gz is patched till version 48
wget http://ftp.gnu.org/gnu/bash/bash-3.2.48.tar.gz
# Download all patches after bash32-048 (at the moment I publish this article, latest is bash32-057)
mkdir bash-3.2-patches
cd bash-3.2-patches
wget http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-049
wget http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-050
wget http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-051
wget http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052
wget http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-053
wget http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-054
wget http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-055
wget http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-056
wget http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-057
cd ..
# Go to bash source folder and patch the source
tar -xvzf bash-3.2.48.tar.gz
cd bash-3.2.48
patch -p0 < /root/bash-3.2-patches/bash32-049
patch -p0 < /root/bash-3.2-patches/bash32-050
patch -p0 < /root/bash-3.2-patches/bash32-051
patch -p0 < /root/bash-3.2-patches/bash32-052
patch -p0 < /root/bash-3.2-patches/bash32-053
patch -p0 < /root/bash-3.2-patches/bash32-054
patch -p0 < /root/bash-3.2-patches/bash32-055
patch -p0 < /root/bash-3.2-patches/bash32-056
patch -p0 < /root/bash-3.2-patches/bash32-057
# Compile
./configure
make
make install
# Bash version should be now .57
root@nexenta:~# bash –version
GNU bash, version 3.2.57(3)-release (i386-pc-solaris2.10)
Copyright (C) 2007 Free Software Foundation, Inc.
# Test if your bash against Shellshock bug.
env ‘VAR=() { :;}; echo Bash is vulnerable!’ ‘FUNCTION()=() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash is not vulnerable”
# Example
root@nexenta:~# env ‘VAR=() { :;}; echo Bash is vulnerable!’ ‘FUNCTION()=() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash is not vulnerable”
Bash is not vulnerable
Verify every few days if new patches are released on http://ftp.gnu.org/gnu/bash/bash-3.2-patches/, a lot of security bugs probably will be fixed these days, as a lot of people is checking the code.
p.s. thanks for suggestions from jb
Thanks very much, this is exceptionally helpful, just a couple comments on the process:
1. The user will first need to execute:
option expert_mode=1
then they can do:
!bash
2. The /etc/apt/sources.list file needs to be updated with the following in order to be able to install gcc and bison:
deb http://apt.nexentastor.org hardy-unstable main contrib non-free
deb-src http://apt.nexentastor.org hardy-unstable main contrib non-free
3. There is a typo under # compile, it is listed as /.make, if the user is copying/pasting, that will fail, should be ./make
Otherwise, this got me there where all other sources of info just had a few breadcrumbs but didn’t tie it all together.
Thank you very much!
-jb
@jb thanks for your suggestions. I updated the post and I am happy that my article helped you.
@Sergiu, will this also work on version 3.1.3.?
@Milan, this will work on any 3.x version. But please check to see the patches level of bash: bash –version and see 3.x.patch because my tutorial starts with patch 49.
@Segiu, we are running the same bash version. Thought the apt sources you mention are not working:
# apt-get update
Ign http://apt.nexentastor.org hardy-unstable Release.gpg
Ign http://apt.nexentastor.org hardy-unstable Release
Ign http://apt.nexentastor.org hardy-unstable/main Packages
Ign http://apt.nexentastor.org hardy-unstable/contrib Packages
Ign http://apt.nexentastor.org hardy-unstable/non-free Packages
Ign http://apt.nexentastor.org hardy-unstable/main Sources
Ign http://apt.nexentastor.org hardy-unstable/contrib Sources
Ign http://apt.nexentastor.org hardy-unstable/non-free Sources
Err http://apt.nexentastor.org hardy-unstable/main Packages
404 Not Found
Err http://apt.nexentastor.org hardy-unstable/contrib Packages
404 Not Found
Err http://apt.nexentastor.org hardy-unstable/non-free Packages
404 Not Found
Err http://apt.nexentastor.org hardy-unstable/main Sources
404 Not Found
Err http://apt.nexentastor.org hardy-unstable/contrib Sources
404 Not Found
Err http://apt.nexentastor.org hardy-unstable/non-free Sources
404 Not Found
W: Failed to fetch http://apt.nexentastor.org/dists/hardy-unstable/main/binary-solaris-i386/Packages.gz 404 Not Found
W: Failed to fetch http://apt.nexentastor.org/dists/hardy-unstable/contrib/binary-solaris-i386/Packages.gz 404 Not Found
W: Failed to fetch http://apt.nexentastor.org/dists/hardy-unstable/non-free/binary-solaris-i386/Packages.gz 404 Not Found
W: Failed to fetch http://apt.nexentastor.org/dists/hardy-unstable/main/source/Sources.gz 404 Not Found
W: Failed to fetch http://apt.nexentastor.org/dists/hardy-unstable/contrib/source/Sources.gz 404 Not Found
W: Failed to fetch http://apt.nexentastor.org/dists/hardy-unstable/non-free/source/Sources.gz 404 Not Found
E: Some index files failed to download, they have been ignored, or old ones used instead.
When trying to install GCC we get this:
# apt-get install gcc
Reading package lists… Done
Building dependency tree
Reading state information… Done
Package gcc is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package gcc has no installation candidate
# cat /etc/apt/sources.list
deb http://apt.nexentastor.org hardy-unstable main contrib non-free
deb-src http://apt.nexentastor.org hardy-unstable main contrib non-free
any clue?
@Milan try this:
deb http://apt.nexentastor.org/3.1 hardy-testing main contrib non-free
deb-src http://apt.nexentastor.org/3.1 hardy-testing main contrib non-free
@Sergiu, done it. Now I have additional packages to update. Is it safe to proceed?
# apt-get update
Get:1 http://apt.nexentastor.org hardy-testing Release.gpg [185B]
Get:2 http://apt.nexentastor.org hardy-testing Release [7108B]
Get:3 http://apt.nexentastor.org hardy-testing/main Packages [428kB]
Get:4 http://apt.nexentastor.org hardy-testing/contrib Packages [7930B]
Get:5 http://apt.nexentastor.org hardy-testing/non-free Packages [4787B]
Get:6 http://apt.nexentastor.org hardy-testing/main Sources [66.2kB]
Get:7 http://apt.nexentastor.org hardy-testing/contrib Sources [2281B]
Get:8 http://apt.nexentastor.org hardy-testing/non-free Sources [1352B]
Fetched 518kB in 2s (181kB/s)
Reading package lists… Done
root@nexenta2:/volumes# apt-get install gcc
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
gcc-4.2 libgomp1 sunwarc sunwarcr
Suggested packages:
autoconf automake1.9 bison flex gcc-doc gcc-multilib gdb libtool manpages-dev gcc-4.2-doc gcc-4.2-locales gcc-4.2-multilib libgcc1-dbg libgomp1-dbg libmudflap0-4.2-dbg libmudflap0-4.2-dev
The following NEW packages will be installed:
gcc gcc-4.2 libgomp1 sunwarc sunwarcr
0 upgraded, 5 newly installed, 0 to remove and 76 not upgraded.
Need to get 2170kB of archives.
After this operation, 1144kB of additional disk space will be used.
Do you want to continue [Y/n]?
@Milan yes, I am up2date with all packages in that repo and everything works perfect. Come back after update and give feedback.
@Sergiu, one more check upon I run you patch.
# bash -version
GNU bash, version 3.2.48(1)-release (i386-pc-solaris2.11)
Copyright (C) 2007 Free Software Foundation, Inc.
Is the same version as you had before on Nexenta 3.1.5 right?
@Milan Yes that was my default patch level. The you need to follow my guide and download next patches starting with 49.
@Sergiu, works like a charm. We are running commercial version and you saved us 5k of wasting licenses as NEX has totally removed all our hardware from the HCL.
Send me your contact info by e-mail, so I can donate you. 🙂
PS. upon make install we got some ignored errors.
# make install
***********************************************************
* *
* GNU bash, version 3.2.57(1)-release (i386-pc-solaris2.11)
* *
***********************************************************
mkdir -p — /usr/local/man/man1
mkdir -p — /usr/local/info
( cd ./po/ ; make DESTDIR= installdirs )
make[1]: Entering directory `/root/bash-3.2.48/po’
/bin/sh /root/bash-3.2.48/./support/mkinstalldirs /usr/local/share
mkdir -p — /usr/local/share/locale/en@quot/LC_MESSAGES
mkdir -p — /usr/local/share/locale/en@boldquot/LC_MESSAGES
mkdir -p — /usr/local/share/locale/ru/LC_MESSAGES
if test “bash” = “gettext-tools”; then \
/bin/sh /root/bash-3.2.48/./support/mkinstalldirs /usr/local/share/gettext/po; \
else \
: ; \
fi
make[1]: Leaving directory `/root/bash-3.2.48/po’
/usr/bin/ginstall -c -m 0755 bash /usr/local/bin/bash
/usr/bin/ginstall -c -m 0555 bashbug /usr/local/bin/bashbug
( cd ./doc ; make \
man1dir=/usr/local/man/man1 man1ext=.1 \
man3dir=/usr/local/man/man3 man3ext=.3 \
infodir=/usr/local/info htmldir= DESTDIR= install )
make[1]: Entering directory `/root/bash-3.2.48/doc’
makeinfo –no-split -I../lib/readline/doc ./bashref.texi
make[1]: makeinfo: Command not found
make[1]: *** [bashref.info] Error 127
make[1]: Leaving directory `/root/bash-3.2.48/doc’
make: [install] Error 2 (ignored)
( cd ./builtins ; make DESTDIR= install )
make[1]: Entering directory `/root/bash-3.2.48/builtins’
make[1]: Nothing to be done for `install’.
make[1]: Leaving directory `/root/bash-3.2.48/builtins’
( cd ./po/ ; make DESTDIR= install )
make[1]: Entering directory `/root/bash-3.2.48/po’
test -z “en@quot.gmo en@boldquot.gmo ru.gmo” || make en@quot.gmo en@boldquot.gmo ru.gmo
make[2]: Entering directory `/root/bash-3.2.48/po’
make[2]: `en@quot.gmo’ is up to date.
make[2]: `en@boldquot.gmo’ is up to date.
make[2]: `ru.gmo’ is up to date.
make[2]: Leaving directory `/root/bash-3.2.48/po’
touch stamp-po
/bin/sh /root/bash-3.2.48/./support/mkinstalldirs /usr/local/share
installing en@quot.gmo as /usr/local/share/locale/en@quot/LC_MESSAGES/bash.mo
installing en@boldquot.gmo as /usr/local/share/locale/en@boldquot/LC_MESSAGES/bash.mo
installing ru.gmo as /usr/local/share/locale/ru/LC_MESSAGES/bash.mo
if test “bash” = “gettext-tools”; then \
/bin/sh /root/bash-3.2.48/./support/mkinstalldirs /usr/local/share/gettext/po; \
for file in Makefile.in.in remove-potcdate.sin quot.sed boldquot.sed en@quot.header en@boldquot.header insert-header.sin Rules-quot Makevars.template; do \
/usr/bin/ginstall -c -m 644 ./$file \
/usr/local/share/gettext/po/$file; \
done; \
for file in Makevars; do \
rm -f /usr/local/share/gettext/po/$file; \
done; \
else \
: ; \
fi
make[1]: Leaving directory `/root/bash-3.2.48/po’