Raymii.org
Quis custodiet ipsos custodes?Home | About | All pages | Cluster Status | RSS Feed
Patch Shellshock)with Ansible
Published: 24-09-2014 | Author: Remy van Elst | Text only version of this article
❗ This post is over ten years old. It may no longer be up to date. Opinions may have changed.
This is a simple ansible playbook to patch Debian, CentOS, Ubuntu and derivatives for the Shellshock vulnerability (CVE-2014-6271).
Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below. It means the world to me if you show your appreciation and you'll help pay the server costs:
GitHub Sponsorship
PCBWay referral link (You get $5, I get $20 after you've placed an order)
Digital Ocea referral link ($200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!)
Quoting Ars:
The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network-based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.
See: for more info.
The simple playbook that fixes it, and adds the Debian 6 LTS repo where needed, consists out of the following 3 files:
Main role:
# cat playbooks/update.yml
---
- hosts: all
roles:
- { role: apt-update, when: "ansible_os_family == 'Debian'" }
- { role: yum-update, when: "ansible_os_family == 'RedHat'" }
Debian/Ubuntu Playbook
# cat playbooks/roles/apt-update/tasks/main.yml
- copy: src=debian-6-lts.list dest=/etc/apt/sources.list.d/debian-6-lts.list
when: ansible_distribution_major_version == "6"
# Uncomment the following to test for the vuln.
#
# - shell: "export evil='() { :;}; echo vulnerable'; bash -c echo;"
# register: result
# - fail:
# msg="Not vulnerable"
# when: result.stdout != 'vulnerable'
- apt: name=bash state=latest update_cache=yes
Debian 6 LTS repo file:
# cat playbooks/roles/apt-update/files/debian-6-lts.list
# Added by Ansible to fix CVE-2014-6271 (ShellShock)
# See http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
deb http://http.debian.net/debian/ squeeze main contrib non-free
deb-src http://http.debian.net/debian/ squeeze main contrib non-free
deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free
deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free
Yum Role:
# cat playbooks/roles/yum-update/tasks/main.yml
# Uncomment the following to test for the vuln.
#
# - shell: "export evil='() { :;}; echo vulnerable'; bash -c echo;"
# register: result
# - fail:
# msg="Not vulnerable"
# when: result.stdout != 'vulnerable'
- command: /usr/bin/yum clean all
- yum: name=bash state=latest