本文摘自PHP中文网,作者藏色散人,侵删。
下面由centos教程栏目给大家介绍CentOS 升级 Bash --- 修复破壳漏洞 ,希望对需要的朋友有所帮助!
因为很多公司都有自己的 yum 源,所以直接配置其他的 yum 源升级的话是不允许的,为了能方便的升级,并且安全的测试,先拿一台测试机做测试。
CentOS 的修复方案
安装 yum 插件 yum-downloadonly
注: yum-downloadonly 插件的作用是实现只下载所需包而不直接安装
1 | sudo yum -y install yum-downloadonly
|
添加 CentOS 的官方源 CentOS-Base.repo
CentOS 5 的官方源
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | # CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base
mirrorlist=http:
#baseurl=http:
gpgcheck=1
gpgkey=file:
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http:
#baseurl=http:
gpgcheck=1
gpgkey=file:
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http:
#baseurl=http:
gpgcheck=1
gpgkey=file:
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http:
#baseurl=http:
gpgcheck=1
enabled=1
gpgkey=file:
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
mirrorlist=http:
#baseurl=http:
gpgcheck=1
enabled=1
gpgkey=file:
|
CentOS 6 的官方源
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | # CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base
mirrorlist=http:
#baseurl=http:
gpgcheck=1
gpgkey=file:
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http:
#baseurl=http:
gpgcheck=1
gpgkey=file:
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http:
#baseurl=http:
gpgcheck=1
gpgkey=file:
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http:
#baseurl=http:
gpgcheck=1
enabled=1
gpgkey=file:
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
mirrorlist=http:
#baseurl=http:
gpgcheck=1
enabled=1
gpgkey=file:
|
下载最新的 bash 包
把最新版本的 bash 的 rpm 包下载到 /tmp 目录
1 | sudo yum -y install --downloadonly --downloaddir=/tmp/ bash
|
下载后的包名分别如下:
CentOS 5
1 | bash-3.2-33.el5_10.4.x86_64.rpm
|
CentOS 6
1 | bash-4.1.2-15.el6_5.2.x86_64.rpm
|
安装最新的 bash 包
CentOS 5
1 | sudo yum -y install bash-3.2-33.el5_10.4.x86_64.rpm
|
CentOS 6
1 | sudo yum -y install bash-4.1.2-15.el6_5.2.x86_64.rpm
|
验证
env X='() { (a)=>\' sh -c "echo date"; cat echo 输出如下:
1 2 | date
Mon Sep 29 10:11:56 CST 2014
|
env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Hello" 输出如下:
证明修复成功
加入现有的 rpm 源
最后一步就是把测试完成的包加入公司自己的源中,然后全网推送了。
以上就是CentOS如何升级Bash(修复破壳漏洞)的详细内容,更多文章请关注木庄网络博客!
相关阅读 >>
如何在bash脚本中将密码传递给ssh/scp命令
centos系统修改hostname的实例教程
centos是什么系统
centos系统dns不生效
centos如何修改时区
如何检查bash中是否存在文件或目录
关于 centos/linux下调整分区大小的图文教程
centos命令行怎么关机?
centos修改root密码的方法
centos系统如何解压zip文件
更多相关阅读请进入《bash》频道 >>
转载请注明出处:木庄网络博客 » CentOS如何升级Bash(修复破壳漏洞)
