Bash – Legacy Debian versions and Bash Shellshock

bashdebianshellshock

We are running Debian Etch, Lenny and Squeeze because upgrades have never been done in this shop; we have over 150 systems running various Debian versions. In light of the "shell shock" of this week, I assume I need to upgrade bash. I do not know Debian so I am concerned.

Can I merely execute apt-get install bash on all of my Debian systems and get the correct Bash package while my repository is pointed at a Squeeze entry. If not, what other course of action do I have?

Best Answer

You have the option to just upgrade bash. To do so use the following apt-get command:

apt-get update

Then after the update fetches all of the available updates run:

apt-get install --only-upgrade bash

To get updates on older releases, Squeeze for example, you will probably need to add the Squeeze-LTS repo to your sources.list.

To add this repository, edit /etc/apt/sources.list and add the following line to the end of the file.

deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib

To check a particular system for the vulnerabilities (or see if the upgrade works) you can check the bash versions that you are using and see if the version is affected (it probably is) or there are numerous shell test scripts available on the web.

EDIT 1

To upgrade bash on Lenny or Etch, take a look at Ilya Sheershoff's answer below for how to compile bash from source and manually upgrade the version of bash that your release is using.

EDIT 2

Here is an example sources.list file from a Squeeze server I successfully upgraded:

deb http://ftp.us.debian.org/debian/ squeeze main
deb-src http://ftp.us.debian.org/debian/ squeeze main

deb http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main

# squeeze-updates, previously known as 'volatile'
deb http://ftp.us.debian.org/debian/ squeeze-updates main
deb-src http://ftp.us.debian.org/debian/ squeeze-updates main

# Other - Adding the lsb source for security updates
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Related Solutions

Debian Package Management – Is It Safe to Install Packages from Older Repository Versions?

In this case, yes, it's possible and safe.

As debian keep dependences tree for each requested package.

At all there is still a risk that some libraries could not exist in two different version together in same installation, due to conflict (port reservation, device driver and so). In this kind of situation, apt would prevent you and ask for what to do. (Come back with another UL question in this case;-)

You could add squeeze.list to source.list.d

(Care! New versions of APT will ignore filename not ending by ".list".):

cat <<eof >/etc/apt/sources.list.d/squeeze.list
deb http://ftp.be.debian.org/debian/ squeeze-updates main contrib
deb-src http://security.debian.org/ squeeze/updates main contrib
eof

add a default directive to /etc/apt/apt.conf.d/

cat <<eof >/etc/apt/apt.conf.d/99squeeze
APT::Default-Release "wheezy";

Than use -t switch to apt-get for overriding default config:

apt-get -t squeeze install scim-pinyin

Debian – download packages for different distribution with apt

APT's core job is to resolve dependencies. So you can't really blame it for complaining about dependencies.

You'll need to invoke it with a different configuration so that it doesn't mix the package databases. Keep separate apt.conf and sources.list files and for each distribution, e.g..

apt-get -o Dir::Etc::Main=/path/to/precise/apt.conf -d …

with apt.conf containing at least

Dig::State::status "/path/to/precise/status";
APT::Get::Download-Only "true";

You may need to symlink or replicate some files in /etc/apt in the /path/to/precise directory (depending on what you have in them).

Do not run apt-get as root when you pass an alternate database. If apt-get has permission to modify your system and you accidentally misconfigure something or turn off -d, you could seriously mess up your system. Run apt-get with only the privileges it needs, which as long as you're only downloading stuff doesn't include root. You will need to have enough permissions to write to the cache directory /var/cache/apt and its contents; I recommend creating a group for that (addgroup aptcache; chgrp -R aptcache /var/cache/apt; chmod -R g+w /var/cache/apt and adding yourself to it).