1

I'm trying to patch my server against the Shellshock vulnerability issue. However, I'm unable to update Bash to a safe version, these are the results I'm getting:

# yum update bash
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
Skipping security plugin, no data
Setting up Update Process
No Packages marked for Update

I'm running CentOS 5.10, and the command yum repolist all shows that the update repo is enabled.

The current installed version of Bash is 3.2-32.el5_9.1.

This command shows that my server is vulnerable to Shellshock:

# env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello
Elite_Dragon1337
  • 216
  • 1
  • 2
  • 10
  • 1
    Where does the updates repo point to? Do you have a internal mirror configured which isn't synced? – faker Sep 30 '14 at 14:29
  • I don't think I have an internal mirror, seeing as I don't even know what that is =) The update repo is 'CentOS-5 - Updates' and it says 'enabled: 632' – Elite_Dragon1337 Sep 30 '14 at 14:33
  • You should check your files in `/etc/yum.repos.d/` to figure that out. Did you already run `yum clean expire-cache`? – faker Sep 30 '14 at 14:37
  • Yes, I have run yum clean expire-cache. /etc/yum.repos.d/ contains four files, CentOS-Base, CentOS-Debuginfo, CentOS-Media and CentOS-Vault. Could that be the problem? – Elite_Dragon1337 Sep 30 '14 at 14:39
  • I opened CentOS-Base.repo and it seems like the 'update' repo points to **http://centos.mirror.cust.lstn.net/$releasever/updates/$basearch/** – Elite_Dragon1337 Sep 30 '14 at 14:44
  • try a `yum clean all` and then `yum update`. My server refused to update until I cleared out yum's caches and got it to update. – Nathan C Sep 30 '14 at 14:53

1 Answers1

1

You appear to be using a internal mirror of lstn.net / limestonenetworks.com.
That mirror is probably out of sync.
You should contact them and make sure they sync the mirror.

As the vulnerability you are trying to patch is critical, I'd advise to use a different mirror until they have synced theirs. Until then switch to the external ones provided by the community by changing the baseurl of the updates repo to: 

mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates

Note that this is replacing baseurl with mirrorlist!
It is generally better to use internal mirrors since they should be faster, so I would also revert that after they have fixed their mirror.

faker
  • 17,496
  • 2
  • 60
  • 70
  • 1
    It seems like my host's mirror was indeed horribly out of sync, thanks! – Elite_Dragon1337 Sep 30 '14 at 15:12
  • 1
    @Elite_Dragon1337 Glad I could help! I would really contact them if I were you. This probably affects all their customers. It's insanely irresponsible from them to not sync this mirror given this vulnerability. – faker Sep 30 '14 at 15:14
  • Yes, I have contacted them and they are working on it right now. I find it insane how this was not found earlier, seeing how vulnerable most servers are – Elite_Dragon1337 Sep 30 '14 at 15:21