shellshock aix bash packages

A little post to try to help admins to find from where their bash package is from. On AIX, bash can come from from a lot of different sources :)

shellshock description

The best is to see directly the wikipedia shellshock page for a full description : http://en.wikipedia.org/wiki/Shellshock_(software_bug)

How to test bash vulnerabilities

Use shellshock_test.sh from http://shellshocker.net. it’s working on linux and AIX.

If you have direct internet access :

curl https://shellshocker.net/shellshock_test.sh | bash

Here a output from a patched infra server(no need to be root to test it) :

AIX bash packages

bash is packaged by a lot of different sources.

It’s possible to identify the provider with : rpm -qi bash

Name : bash Relocations: (not relocateable)
Version : 4.2 Vendor: (none)
Release : 18 Build Date: Wed Oct 1 20:52:59 2014
Install date: Thu Oct 2 10:56:23 2014 Build Host: aix51.perzl.org
Group : System Environment/Shells Source RPM: bash-4.2-18.src.rpm
Size : 4969852 License: GPLv2+
URL : http://www.gnu.org/software/bash
Summary : The GNU Bourne Again shell (bash) version %{version}
Description :
The GNU Bourne Again shell (Bash) is a shell or command language
interpreter that is compatible with the Bourne shell (sh). Bash
incorporates useful features from the Korn shell (ksh) and the C shell
(csh). Most sh scripts can be run by bash without modification. This
package (bash) contains bash version 4.2, which improves POSIX
compliance over previous versions.

Build date is very important. If your package was not build recently it’s vulnerable.

Build host: The best way we found to identify the package builder. Here it’s perzl.org.

Important : IBM security advisory is requesting to patch to version 4.2.3 but they are only speaking about the AIX Linux toolbox package.

Here a table listing different sources and package version :

upgrade command will be something like that :

rpm -Uvh your_bash_version.rpm