Laravel Forge - Fixing the CVE-2014-6271 Bash Vulnerability

Posted on September 24, 2014 | By Matt Stauffer

Warning: This post is over a year old. I don't always update old posts with new information, so some of this information may be out of date.

What is it?

A dangerous vulnerability in bash, a shell that's enabled by default on pretty much every *nix ystem ever. Learn more here. In short, it's bad but it's wildly easy to fix.

How do I fix it?

UPDATE: Ubuntu released a patch to fix this vulnerability after I wrote this post, and since Forge auto-applies security fixes nightly, all Forge-managed servers are now safe. You can read on for fun, but you're now safe.

It's likely going to be automatically fixed in an Ubuntu security update soon, but if you want to manually update your Forge-managed servers (or any other Ubuntu servers)--I would recommend this--just SSH into your server and run the following:

$ sudo apt-get update && sudo apt-get install --only-upgrade bash

This will get an updated list of available packages (apt-get update) and then just upgrade bash. It wouldn't hurt to reboot your server afterwards, although it's not necessary--you can do this through Forge or by running sudo reboot on your server.

Not enough?:

Per this tweet, even this bash patch might not be ENOUGH--but it's better to apply and keep your eyes on the bug than to not apply.

Is my server vulnerable?

You can also run the following to check whether your server is even vulnerable:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see the following output, your server is vulnerable:

this is a test

If you see any other output, likely the following, your server is safe:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Comments? I'm @stauffermatt on Twitter

Tags: laravel  •  forge