Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed | Gopher

Patch Shellshock)with Ansible

Published: 24-09-2014 | Author: Remy van Elst | Text only version of this article


❗ This post is over eight years old. It may no longer be up to date. Opinions may have changed.

This is a simple ansible playbook to patch Debian, CentOS, Ubuntu and derivatives for the Shellshock vulnerability (CVE-2014-6271).

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

Quoting Ars:

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network-based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

See: for more info.

The simple playbook that fixes it, and adds the Debian 6 LTS repo where needed, consists out of the following 3 files:

Main role:

# cat playbooks/update.yml
 ---
 - hosts: all
   roles:
     - { role: apt-update, when: "ansible_os_family == 'Debian'" }
     - { role: yum-update, when: "ansible_os_family == 'RedHat'" }

Debian/Ubuntu Playbook

 # cat playbooks/roles/apt-update/tasks/main.yml

 - copy: src=debian-6-lts.list dest=/etc/apt/sources.list.d/debian-6-lts.list
   when: ansible_distribution_major_version == "6"

 #  Uncomment the following to test for the vuln.
 #
 # - shell: "export evil='() { :;}; echo vulnerable'; bash -c echo;"
 #  register: result 

 # - fail:
 #     msg="Not vulnerable"
 #   when: result.stdout != 'vulnerable'

 - apt: name=bash state=latest update_cache=yes

Debian 6 LTS repo file:

 # cat playbooks/roles/apt-update/files/debian-6-lts.list 

 # Added by Ansible to fix CVE-2014-6271 (ShellShock)
 # See http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
 deb http://http.debian.net/debian/ squeeze main contrib non-free
 deb-src http://http.debian.net/debian/ squeeze main contrib non-free

 deb http://security.debian.org/ squeeze/updates main contrib non-free
 deb-src http://security.debian.org/ squeeze/updates main contrib non-free

 deb http://http.debian.net/debian squeeze-lts main contrib non-free
 deb-src http://http.debian.net/debian squeeze-lts main contrib non-free

Yum Role:

 # cat playbooks/roles/yum-update/tasks/main.yml

 #  Uncomment the following to test for the vuln.
 # 
 # - shell: "export evil='() { :;}; echo vulnerable'; bash -c echo;"
 #   register: result

 # - fail:
 #     msg="Not vulnerable"
 #   when: result.stdout != 'vulnerable'

 - command: /usr/bin/yum clean all

 - yum: name=bash state=latest
Tags: ansible , articles , bash , centos , cve-2014-6271 , debian , ubuntu