CloudLinux OS Blog - Beta: Better fix for Shellshock bash vulnerability
CloudLinux OS Blog

Beta: Better fix for Shellshock bash vulnerability

As shellshock vulnerability keeps giving, we were working on protecting our customers with something more durable then a band aid patches.

The problem with shellshock is that bash allows function imports via environmental variables. It tries to parse them, and even execute them. As bash parser is complex and not bullet proof -- more and more vulnerabilities are being found. Some of them being reported as dangerous as the first one.

After careful considerations we decided to go in the way OpenBSD & FreeBSD already took, and disable function imports via environmental variables by default.
It might break some scripts that rely on that, but our hope is that none of those scripts run in a typical shared hosting environment.

We are yet to push updated bash packages into production repository. For now they are available only from our beta repository. As we collect more feedback from our customers (or in case another dangerous exploit will become public) - we will push this version of bash to production channels.

To update:
$ yum update bash --enablerepo=cloudlinux-updates-testing

If you still need to use importing of functions using environment variables, you can run bash with --import-functions flag:
$ bash --import-functions
Beta: New CloudLinux 5 Kernel 2.6.18-498.el5.lve0....
New CL6 & C5Hybrid kernel to fix inotify memory le...
 

Comments 2

Guest - Petar Petrov on Tuesday, 30 September 2014 09:16

Is this fix Cpanel compatible?
Cpanel uses many bash scripts so can we be absolutely sure that the fix won't break something?

Is this fix Cpanel compatible? Cpanel uses many bash scripts so can we be absolutely sure that the fix won't break something?
Guest - Igor Seletskiy on Wednesday, 01 October 2014 09:07

This fix should be cPanel compatible, but it is a beta for a reason -- we cannot fully test cPanel, hence we need clients to try.
If it doesn't work -- you can allways roll back with yum downgrade bash

This fix should be cPanel compatible, but it is a beta for a reason -- we cannot fully test cPanel, hence we need clients to try. If it doesn't work -- you can allways roll back with yum downgrade bash
Already Registered? Login Here
Guest
Thursday, 20 June 2019

Captcha Image