Shellshock Fixes Ready For Download, Get Your Bash Patch Here
Red Hat has announced that it has issued a complete set of patches to battle the 'Shellshock' Bash bug that it revealed to the world last week. You might notice that I said "patches", and that's because shortly after the initial CVE-2014-6271 was discovered and patched, more vulnerabilities came to the surface. These were not nearly as severe as the original, but they had to be taken care of as soon as possible nonetheless. These additional vulnerabilities are assigned CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187.
At this time, your Linux distribution of choice should have the full set of patches, although if it doesn't, it shouldn't take too much longer. Interestingly, I run a Debian 6-based server, and it hasn't been issued the patch as of the time of writing, although it looks like the initial bug was patched to some degree shortly after the bug was discovered (but not known to most of the world). This is a little disconcerting nonetheless, because this server remains very much open to attack.
After you update your systems, you can check for the vulnerability with a simple command, as evidenced in the shot above:
env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
If running that command returns a "vulnerable" message, you'd be right in guessing that you are, in fact, vulnerable. If you're not vulnerable, you'll see a warning message as well as two errors. Beyond that, you'll want to run some other commands as well to make sure that you're not only protected against CVE-2014-6271, but the others as well.
Shellshock doesn't only affect Linux, of course; it also plagues Mac OS X - although to a lesser degree. In a response to iMore last week, Apple says that the vast majority of OS X users are not at any risk, as to effectively enable the exploit, you'd have to adjust some advanced Unix services. Nonetheless, Apple will be releasing a patch soon that remedies the issue.