As you may already have read late yesterday a large vulnerability called 'Shellshock' was found in bash, a software package used on virtually every Linux, Unix and Mac OSX server. Bash is most known as a shell interpreter which allows logged-in users to execute commands.
Apart from this bash is used extensively in a number of different ways such as shell scripts, supporting language for packages like CUPS and DHCP clients and in some cases as the language of choice for CGI scripts.
The vulnerability presented yesterday allows attackers to manipulate environment variables which are then treated as commands and executed by bash. This also means that all systems using bash are in theory vulnerable, the extent however to which they are vulnerable is determined by the way bash is used.
In practice this means that most systems are not vulnerable to remote attacks but only to local attacks. Only a small percentage of all systems is remotely exploitable. However, since it is quite difficult to determine wether a system is indeed vulnerable to remote attacks it is reccommended to upgrade as soon as possible.
All large Linux distributors (Red Hat, Ubuntu, Debian, Mint etc) have released updates through the regular channels. These updates fix the most important vulnerabilities but unfortunately as was announced today not all vulnerabilities. However, the remaining ones are considered to be of a much lower risk. Therefore the advice to upgrade as soon as possible remains.
The definitive update is expected to be released soon and will be made available again through the regular channels.
To install the update on RPM-based systems the following command can be used:
To install the update on Debian-based systems the following command can be used:
As this vulnerability comes with great risks we have upgraded both the CloudVPS infrastructure and most servers of customers with an SLA2 or SLA3. If you don’t have an additional service level agreement but would like us to update your server please send us an email at email@example.com. We’re happy to install the updates for you for a small fee.
More information about the incomplete update can be found here: