http://www.infoq.com/news/2014/09/bash-remote-exploit
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-vulnerability
http://www.pcweek.ru/foss/blog/foss/6963.php
https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.2
https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.3
nodeX:~ # env VAR='() { :; }; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash Test
nodeX:~ # ssh nodeY
nodeY:~ # env VAR='() { :; }; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test
nodeY:~ #
http://shellshock.brandonpotter.com/
http://www.shellshocktest.com/
http://bashsmash.ccsir.org/
if you have some old / EOL release:
mkdir src cd src wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz #download all patches for i in $(seq -f "%03g" 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done tar zxvf bash-4.3.tar.gz cd bash-4.3 #apply all patches for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done #build and install ./configure && make && make install cd .. cd .. rm -r src