How to Force Update Bash on Debian 6.0 (Squeeze) to Patch Shellshock Vulnerability


3 views

When running Debian 6.0 (Squeeze), you'll find that standard apt-get update and apt-get install bash commands won't upgrade Bash beyond version 4.1.5. This version contains critical vulnerabilities like Shellshock (CVE-2014-6271). The official Squeeze repositories no longer receive updates since it reached End-of-Life.

For temporary security patches (like your 1-week window), you can enable Squeeze-LTS sources:

# Backup your original sources.list
cp /etc/apt/sources.list /etc/apt/sources.list.bak

# Add LTS repository
echo "deb http://archive.debian.org/debian squeeze-lts main" > /etc/apt/sources.list
echo "deb http://archive.debian.org/debian-security squeeze-lts/updates main" >> /etc/apt/sources.list

# Update and upgrade bash
apt-get update
apt-get install --only-upgrade bash

If LTS isn't an option, compile Bash from source:

wget https://ftp.gnu.org/gnu/bash/bash-4.3.30.tar.gz
tar xzf bash-4.3.30.tar.gz
cd bash-4.3.30
./configure && make && make install

Verify with:

bash --version
/usr/local/bin/bash -c 'echo patched'

1. After upgrading, test for Shellshock vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo test"

2. Consider updating to a supported Debian version (Wheezy+) for long-term solutions

3. If using LTS, remember to revert changes after your migration:

mv /etc/apt/sources.list.bak /etc/apt/sources.list
apt-get update

When running bash --version on Debian Squeeze, you'll typically see version 4.1.5(1)-release. This version contains the critical Shellshock vulnerability (CVE-2014-6271, CVE-2014-7169) that allows remote code execution through environment variables.

The default Squeeze repositories no longer receive security updates. Running apt-get update && apt-get install bash shows:

bash is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 7 not upgraded.

Debian's Long Term Support (LTS) repository provides security patches for Squeeze. Here's how to temporarily enable it:

# Backup original sources
cp /etc/apt/sources.list /etc/apt/sources.list.bak

# Add LTS repository (amd64 architecture)
echo "deb http://archive.debian.org/debian squeeze-lts main" > /etc/apt/sources.list
echo "deb http://archive.debian.org/debian-security squeeze/updates main" >> /etc/apt/sources.list

# Update and upgrade bash
apt-get update
apt-get install --only-upgrade bash

After upgrade, verify both version and vulnerability patching:

# Check version (should show 4.1-3+deb6u2 or higher)
bash --version

# Test Shellshock vulnerability
env x='() { :;}; echo vulnerable' bash -c "echo completed"

A patched system should output only "completed" without the "vulnerable" message.

Since you mentioned migrating soon, revert to original sources after patching:

mv /etc/apt/sources.list.bak /etc/apt/sources.list
apt-get update

If LTS isn't suitable, compile latest bash from source:

wget https://ftp.gnu.org/gnu/bash/bash-5.1.tar.gz
tar xvf bash-5.1.tar.gz
cd bash-5.1
./configure && make && make install
ln -sf /usr/local/bin/bash /bin/bash

Note: This may break package dependencies and isn't recommended for production systems.

While patching bash addresses the immediate vulnerability, consider:

  • Disabling CGI scripts using bash
  • Upgrading to supported Debian version (Wheezy+)
  • Implementing network-level protections