Is Proxmox Vulnerable to CVE-2014-6271

[tincboy]

https://securityblog.redhat.com/201...-environment-variables-code-injection-attack/

I've both Proxmox 2 and 3 in public internet, would you please let me know if there's any risk for me using Proxmox?

 

[dietmar]

First, there is already a fix for that - just update:

bash (4.2+dfsg-0.1+deb7u1) wheezy-security; urgency=high

* Apply patch from Chet Ramey to fix CVE-2014-6271.

Second, we do not use CGI so I think there is low risk.

 

[tincboy]

Thanks,
I've successfully upgrade bash to use 4.2+dfsg-0.1+deb7u1 which is Debian's officail patch for Proxmox 3
But on Proxmox 2, I'm not able to install 4.1-3+deb6u1 which is official Debian's patch via `apt-get update && apt-get upgrade` command,
https://security-tracker.debian.org/tracker/CVE-2014-6271


Would you please let me know how to patch Proxmox 2 ?

 

[Erwin123]

I found this:
https://gist.github.com/mattwhite/86de50d30134129e44ef

Unfortunatly I can't judge if its any good.

 

[tincboy]

I've found patched version of bash for Squeez in link below, is it safe to be installed on Proxmox ?
wget ftp://ftp.fr.debian.org/debian/pool/main/b/bash/bash_4.1-3+deb6u1_amd64.deb

 

[ejmerkel]

First, there is already a fix for that - just update:

bash (4.2+dfsg-0.1+deb7u1) wheezy-security; urgency=high

* Apply patch from Chet Ramey to fix CVE-2014-6271.

Second, we do not use CGI so I think there is low risk.

I have numerous patches on some proxmox nodes waiting but I would like to just update the bash package from the command line (SSH). What is the proper command to do this? Is it just

[COLOR=#000000]apt[/COLOR][COLOR=#000000]-[/COLOR][COLOR=#000000]get install bash[/COLOR]

Thanks,
Eric

 

[tincboy]

I have numerous patches on some proxmox nodes waiting but I would like to just update the bash package from the command line (SSH). What is the proper command to do this? Is it just

[COLOR=#000000]apt[/COLOR][COLOR=#000000]-[/COLOR][COLOR=#000000]get install bash[/COLOR]

Thanks,
Eric

you can use

apt-get install --only-upgrade bash

 

[kobuki]

When using Squeeze, don't forget to add the LTS repo to the apt sources. More info: https://wiki.debian.org/LTS/Using

The LTS repository already contains the fixed Bash package. No need to fiddle with random patches and .deb downloads.

 

[Erwin123]

Can someone comment if this is a save solution for older Proxmox Lenny?
https://gist.github.com/mattwhite/86de50d30134129e44ef

 

[esud]

You can update bash in Proxmox 2.x with following commands: http://online.esud.info/how-to-fix-shellshock-on-proxmox/

 

[Erwin123]

Excellent, thank you esud.

 

[sumsum]

Do I need to reboot or restart services after installing this update?

No, a reboot of your system or any of your services is not required. This vulnerability is in the initial import of the process environment from the kernel. This only happens when Bash is started. After the update that fixes this issue is installed, such new processes will use the new code, and will not be vulnerable. Conversely, old processes will not be started again, so the vulnerability does not materialize. If you have a strong reason to suspect that a system was compromised by this vulnerability then a system reboot should be performed after the update is installed as a best security practice and security checks should be analyzed for suspicious activity.