How to update bash to avoid "shellshock" vulnerability? : Forums : PythonAnywhere

How to update bash to avoid "shellshock" vulnerability?

How can we upgrade bash on our instances? This is a nasty vulnerability and should be addressed ASAP.

http://www.zdnet.com/shellshock-how-to-protect-your-unix-linux-and-mac-servers-7000034072/ https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about-the-shellshock-bash-flaws/

Test your instance like this -- if you see "vulnerable" echoed back, you're vulnerable.

env VAR='() { :;}; echo vulnerable' bash -c "echo Bash Test"

deleted-user-334950 | 8 posts | Sept. 26, 2014, 9:01 p.m. | permalink

In order to take advantage of the bug, an attacker must be able to pass information that they control into the bash environment. On PythonAnywhere, the bash environment of the bash processes that you run is deeply insulated from any inputs except the ones that PythonAnywhere provides.

When the bug was first announced, we auditted our code for any places where user-provided values could be passed into a bash process and there were none.

We will update the bash executable when an update is available.

glenn | 10018 posts | PythonAnywhere staff | Sept. 27, 2014, 11 a.m. | permalink

For info, we've now upgraded to Trusty, which includes new bash binaries. More.

harry | 2710 posts | PythonAnywhere staff | Oct. 29, 2014, 8:08 a.m. | permalink