0

I just installed 14.04 today, found seems the system still have Shellshock issue:

dli@srv:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:    14.04
Codename:   trusty
dli@srv:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

I think might be better to get it fixed from the installation image?

dli
  • 153
  • 7
  • Did you run `sudo apt-get update; sudo apt-get upgrade` yet? The last time I checked with the Ubuntu Security Team there were no unfixed Shellshock issues... – Thomas Ward Nov 18 '14 at 22:14

1 Answers1

2

As can be seen from What is the CVE-2014-6271 bash vulnerability (Shellshock) and how do I fix it?, the patched version for 14.04 is 4.3-7ubuntu1.4, whereas the 14.04.1 image contains 4.3-6ubuntu1. Once released, an ISO is never changed. So an installation image will contain the fix when 14.04.2 is released.

Community
  • 1
muru
  • 193,181
  • 53
  • 473
  • 722
  • 1
    @dli note that a simple `sudo apt-get update; sudo apt-get upgrade` will fix this on installed OSes - however as muru states the ISOs are not updated themselves, so only updating your system with `apt-get` or Update Manager (if GUI) will fix it on actual installs. – Thomas Ward Nov 19 '14 at 03:43
  • @ThomasW., yes, thank you very much also! I test your command works very well! – dli Nov 19 '14 at 04:22