CentOS 升级 Bash --- 修复破壳漏洞

头像
yexiaobai
    阅读 4 分钟
    2

    因为很多公司都有自己的 yum 源,所以直接配置其他的 yum 源升级的话是不允许的,为了能方便的升级,并且安全的测试,先拿一台测试机做测试。

    CentOS 的修复方案

    安装 yum 插件 yum-downloadonly

    注: yum-downloadonly 插件的作用是实现只下载所需包而不直接安装

    sudo yum -y install yum-downloadonly

    添加 CentOS 的官方源 CentOS-Base.repo

    CentOS 5 的官方源

    # CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the 
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
#released updates 
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
#baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

    CentOS 6 的官方源

    # CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the 
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#released updates 
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
#baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

    下载最新的 bash 包

    把最新版本的 bash 的 rpm 包下载到 /tmp 目录

    sudo  yum -y install --downloadonly --downloaddir=/tmp/ bash

    下载后的包名分别如下:

    CentOS 5

    bash-3.2-33.el5_10.4.x86_64.rpm

    CentOS 6

    bash-4.1.2-15.el6_5.2.x86_64.rpm

    安装最新的 bash 包

    CentOS 5

    sudo yum -y install bash-3.2-33.el5_10.4.x86_64.rpm

    CentOS 6

    sudo yum -y install bash-4.1.2-15.el6_5.2.x86_64.rpm

    验证

    env X='() { (a)=>\' sh -c "echo date"; cat echo 输出如下:

    date
Mon Sep 29 10:11:56 CST 2014

    env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Hello" 输出如下:

    Bash Hello

    证明修复成功

    加入现有的 rpm 源

    最后一步就是把测试完成的包加入公司自己的源中,然后全网推送了。

    centosbash破壳漏洞
    yexiaobai
    4.8k 声望875 粉丝

    就是不告诉你 O(∩_∩)O哈哈~。

    « 上一篇
    Graphite 和 grafana 集成
    下一篇 »
    Linux - Swap 篇

    引用和评论

    推荐阅读
    头像
    K8S client-go Patch example

    yexiaobai2阅读 14.3k评论 1

    头像
    阿里云ECS服务器部署Node.js项目全过程详解

    kovli1阅读 5.2k

    头像
    CentOS安装Redis

    YYGP1阅读 6.3k

    头像
    Nginx + CertBot 配置HTTPS泛域名证书(CentOS7)

    YYGP阅读 2k

    头像
    yum/dnf安装Docker

    YYGP阅读 1k

    头像
    centos系统更换yum源为国内源方法实践

    apollo008阅读 862

    头像
    玩转中文输入法 - 让你的Centos(或其他Linux)系统彻底支持输入中文

    apollo008阅读 371

    0 条评论
    得票最新