Shellshock patch for RHEL 4, CentOS 4, Enterpise Linux 4 – CVE-2014-6271

Shellshock (aka Bashdoor) is a collection of security vulnerabilities in the popular bash shell executable disclosed on September 24, 2014.
The vulnerability will execute a command present in a specially crafted environment variable whenever bash is executed.
This can be exploited remotely because web servers will some time place external parameters into shell variables.
Several fixes were released with additional issues until the final patch was released for RHEL 4 on 26th of September.
This is unfortunate for people still running CentOS version 4 and are unable to upgrade.

All versions of CentOS 4.x, RHEL 4.x and EL 4.X are vulnerable, including RHEL 4.0 , 4.1 , 4.2 , 4.3 , 4.4 , 4.5 , 4.6 , 4.7, 4.8 and 4.9.

On Fri, 26 Sep 2014 , Oracle has released RPMS with a fix for the Shellshock Vulnerability # CVE-2014-6271 and related vulnerabilities CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187.

The packages released by oracle can be used to patch systems running CentOS 4.x, RHEL 4.x and Oracle Enterprise Linux 4.x and don’t require a subscription.

You can use these packages if you are running Red Hat Linux 4.x without a subscription.

Disclaimer: Proceed at your own risk, I am not responsible if the commands suggested here break something. Always have a backup in place just in case.

Index Of all the patches for x86_64 systems is
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/

Index Of all the patches for i386/i686 systems is
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/

Update example for X86_64 systems:

Update example for i686 systems:

Equivalent or outdated RPMs provided by RedHat in advisory RHSA-2014:1294-1 , RHSA-2014:1311-2 for Red Hat Enterprise Linux ELS (v. 4) and Oracle

Leave a Reply

Your email address will not be published. Required fields are marked *