七叶笔记 » Linux » CentOS如何升级Bash(修复破壳漏洞)

CentOS如何升级Bash(修复破壳漏洞)

下面由centos教程栏目给大家介绍CentOS 升级 Bash — 修复破壳漏洞 ,希望对需要的朋友有所帮助!

因为很多公司都有自己的 yum 源,所以直接配置其他的 yum 源升级的话是不允许的,为了能方便的升级,并且安全的测试,先拿一台测试机做测试。

CentOS 的修复方案

安装 yum 插件 yum-downloadonly

注: yum-downloadonly 插件的作用是实现只下载所需包而不直接安装

sudo yum -y install yum-downloadonly

添加 CentOS 的官方源 CentOS-Base.repo

CentOS 5 的官方源

# CentOS-Base.repo## The mirror system uses the connecting IP address of the client and the# update status of each mirror to pick mirrors that are updated to and# geographically close to the client. You should use this for CentOS updates# unless you are manually picking other mirrors.## If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead.##[base]name=CentOS-$releasever - Basemirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5#released updates [updates]name=CentOS-$releasever - Updatesmirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5#additional packages that may be useful[extras]name=CentOS-$releasever - Extrasmirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5#additional packages that extend functionality of existing packages[centosplus]name=CentOS-$releasever - Plusmirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/gpgcheck=1enabled=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5#contrib - packages by Centos Users[contrib]name=CentOS-$releasever - Contribmirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib#baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/gpgcheck=1enabled=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

CentOS 6 的官方源

# CentOS-Base.repo## The mirror system uses the connecting IP address of the client and the# update status of each mirror to pick mirrors that are updated to and# geographically close to the client. You should use this for CentOS updates# unless you are manually picking other mirrors.## If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead.##[base]name=CentOS-$releasever - Basemirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6#released updates [updates]name=CentOS-$releasever - Updatesmirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6#additional packages that may be useful[extras]name=CentOS-$releasever - Extrasmirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6#additional packages that extend functionality of existing packages[centosplus]name=CentOS-$releasever - Plusmirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/gpgcheck=1enabled=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6#contrib - packages by Centos Users[contrib]name=CentOS-$releasever - Contribmirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib#baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/gpgcheck=1enabled=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

下载最新的 bash 包

把最新版本的 bash 的 rpm 包下载到 /tmp 目录

sudo  yum -y install --downloadonly --downloaddir=/tmp/ bash

下载后的包名分别如下:

CentOS 5

bash-3.2-33.el5_10.4.x86_64.rpm

CentOS 6

bash-4.1.2-15.el6_5.2.x86_64.rpm

安装最新的 bash 包

CentOS 5

sudo yum -y install bash-3.2-33.el5_10.4.x86_64.rpm

CentOS 6

sudo yum -y install bash-4.1.2-15.el6_5.2.x86_64.rpm

验证

env X='() { (a)=>\' sh -c "echo date"; cat echo 输出如下:

dateMon Sep 29 10:11:56 CST 2014

env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Hello" 输出如下:

Bash Hello

证明修复成功

加入现有的 rpm 源

最后一步就是把测试完成的包加入公司自己的源中,然后全网推送了。

相关文章