A mechanism for remote code execution through Bash has been widely reported yesterday and today (September 24, 2014.) http://seclists.org/oss-sec/2014/q3/650 Reported as CVE-2014-7169 or CVE-2014-6271
For reasons too stupid for me to explain in public, I am responsible for a server running RHEL 4 and with no update subscription. I could build a clone to test this, but I hope someone will have a direct answer.
- Has /bin/bash from Centos 4 been patched, or will it be?
- Can I just plop a (presumably patched) Centos 4 /bin/bash into my RHEL system as a workaround that will buy me several weeks? (I need until December 10)
Best Answer
A patch has been provided by Oracle for el4 :
https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.1.el4.src.rpm
https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.2.el4.src.rpm
https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.3.el4.src.rpm
https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.el4.src.rpm
As it is a src RPM, you need to compile then
rpmbuild.or use this link to avoid the build
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.1.el4.i386.rpm
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.3.el4.i386.rpm
I tested it on a 4.9 i386 system, passed the exploit test I have. (Ted)