Generally speaking if your hosting is using Debian Etch nowadays it is time to consider moving to a more contemporary OS. Nevertheless, here are the instructions on how to patch bash on Debian Etch to fix the ShellShock vulnerability:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | #first find out the version you have so you know what to get for the patches and source files dpkg-query -l|grep bash ii bash 3.2-4 The GNU Bourne Again SHell #do this in the /usr/src dir cd /usr/src wget http://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz tar zxvf bash-3.2.tar.gz cd bash-3.2 # fetch all patches, including latest ones that patches CVE-2014-6271 for i in $(seq -f "%03g" 0 54); do wget -nv http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i patch -p0 < bash32-$i done # install yacc apt-get install bison # configure,compile and install bash (this will install bash into /usr/local/bin/bash) ./configure && make make install # at this point my system is not vulnerable already, test your system env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test" # if this is not the case for your system - try the following # make a symlink from /bin/bash to the new binary mv /bin/bash /bin/bash.old ln -s /usr/local/bin/bash /bin/bash # check that you're not vulnerable anymore wiith the output of the following # it should not output vulnerable word anymore env x='() { :;}; echo vulnerable' bash -c echo #you can Delete the old one thats a problem rm /bin/bash.old |
Based on tannkost instructions for Debian 5 Lenny.