This site lists steps to secure the B3 against vulnerabilities that were discovered after the last official web update (2.6.0.2) was released by Excito.

Shellshock

Introduction

Shellshock (CVE-2014-6271) is the name of a bash bug recently discovered by Stéphane Chazelas that has been existing since roughly 1992. The following code allows testing for this vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will print

vulnerable
this is a test

whereas on a patched system the string vulnerable will not be printed.

While working on the bug, another severe flaw was discovered (CVE-2014-7169). Check for this vulnerability with the following line of code:

env X='() { (a)=>\' sh -c "echo date"; cat echo

CAUTION: A vulnerable system will print the current date and save it in a file called echo.

Fix

MouettE compiled the latest bash from source using the Debian squeeze LTS repository.

The complete file list of the build is as follows:

• bash_4.1-3+deb6u2_armel.deb
• bash-builtins_4.1-3+deb6u2_armel.deb
• bash-doc_4.1-3+deb6u2_all.deb
• bash-static_4.1-3+deb6u2_armel.deb
• bash_4.1-3+deb6u2.diff.gz
• bash_4.1-3+deb6u2.dsc
• bash_4.1-3+deb6u2_armel.changes
• bash_4.1.orig.tar.gz

Install the fixed bash version by running the following commands as root user:

wget http://files.la-mouette.net/bubba/bash_4.1-3+deb6u2_armel.deb
dpkg -i bash_4.1-3+deb6u2_armel.deb

The first command downloads the file marked bold from above, while the second installs the downloaded package.