4

I upgraded my old Debian 6.0 (Squeeze) server, but still the vulnerability seems to be there:

$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello

How do I upgrade Bash to a newer version on Debian 6.0 (Squeeze)?

Peter Mortensen
  • 1,029
  • 1
  • 8
  • 10
rubo77
  • 27,777
  • 43
  • 130
  • 199

2 Answers2

6

To get updates on older releases you will probably need to add the Debian 6.0 (Squeeze) LTS repository to your sources.list.

To add this repository, edit /etc/apt/sources.list and add the following line to the end of the file.

deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib

Then run:

apt-get update

You should see some new sources in the list of repositories now as the update is running. Now just:

apt-get install --only-upgrade bash

Here is a listing of my sources.list file from a Squeeze server I just upgraded:

deb http://ftp.us.debian.org/debian/ squeeze main
deb-src http://ftp.us.debian.org/debian/ squeeze main

deb http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main

# squeeze-updates, previously known as 'volatile'
deb http://ftp.us.debian.org/debian/ squeeze-updates main
deb-src http://ftp.us.debian.org/debian/ squeeze-updates main

# Other - Adding the lsb source for security updates
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
Peter Mortensen
  • 1,029
  • 1
  • 8
  • 10
111---
  • 4,424
  • 3
  • 27
  • 50
  • But I am on squeeze already – rubo77 Sep 26 '14 at 19:50
  • OK, when I do this (with wheezy instead of squeeze), I get `The following packages have unmet dependencies: libc6-dev : Breaks: gcc-4.4 (< 4.4.6-4) but 4.4.5-8 is to be installed E: Broken packages ` – rubo77 Sep 26 '14 at 19:53
  • and if I also upgrade gcc, I get a lot of suggestions: https://gist.github.com/rubo77/3d18256eb1622deef41a – rubo77 Sep 26 '14 at 19:55
  • Nah just add that line to your sources.list, i just updated a squeeze server just now with that entry in my sources.list file and then upgraded bash with no problems. I don't think that the squeeze-lts is in the file by default. – 111--- Sep 26 '14 at 19:57
  • Ah I see, the **LTS** is new, I thought your answer was about older releases in the first place. Does this also solve CVE-2014-7169 by now? – rubo77 Sep 26 '14 at 20:05
  • 2
    Nope. Here is a test script that I have been running to check for both: https://gist.github.com/KalenAnson/231db4b468fc53a5ae7d – 111--- Sep 26 '14 at 20:23
  • 1
    You have to do some more after adding the LTS source: https://wiki.debian.org/LTS/Using#Using_Debian_squeeze_.286.0.29_LTS – rubo77 Sep 27 '14 at 05:25
  • 1
    the script you were using to test, seems to show always positive, see the issue in this alternative test: https://github.com/hannob/bashcheck/issues/6#issuecomment-57081774 – rubo77 Sep 28 '14 at 19:31
2

source: serverfault - Can not update bash on Debian Squeeze

You must use the squeeze-lts repository in order to continue receiving updates to Debian Squeeze

To add this repository, edit /etc/apt/sources.list and add the line

deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib

(you can remove non-free and contrib if desired)

To update only bash, after running apt-get update use apt-get install bash to install just bash, instead of a complete upgrade.

Community
  • 1
rubo77
  • 27,777
  • 43
  • 130
  • 199