How to detect if your server is vulnerable to the Shellshock bug and fix it

Shellshock vulnerability is a security bug affecting Unix/Linux operating system through the bash shell. Disclosed on September 24 2014, it has been rated 10 (the maximum score) for severity by NIST. Debian installs bash by default so you’re probably affected!

To check if your server is vulnerable, run this command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


If the results look like this you are affected:

user@host:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test


However if you get these results you are not affected:

user@host:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


Wheezy

If you are running the latest Debian release, the solution is simple, just update the system:

apt-get update
apt-get upgrade


Squeeze

If you are running squeeze you need to add the LTS apt source and update bash:

1. Append LTS to apt sources (pico /etc/apt/sources.list)

deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free


2. Update apt

apt-get update


3. Upgrade bash to the latest version

apt-get install -t squeeze-lts --only-upgrade bash


Older releases

If you are using older release you should update to wheezy.