?
Solved

How to patch RedHat 5 for Shellshock without subscription

Posted on 2014-09-29
11
Medium Priority
?
670 Views
Last Modified: 2014-10-24
Hi All,
     I need to patch some server for the ShellShock exploit but do not have the Subscription to pull it down direct. The servers are going EOL in December and i do not want to have to purchase the Subscription for 2 months, is there a way around this?

I have seen:
http://icewalkerz.blogspot.co.uk/2009/10/how-to-use-centos-repos-in-rhel-5.html
but when i run "yum-rhn-plugin" i get Failed on Dependencies

i can not find any iso downloads to install from CDrom, i might just be special here so anything you could offer would be appreciated
0
Comment
Question by:ncomper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 35

Assisted Solution

by:Seth Simmons
Seth Simmons earned 220 total points
ID: 40350131
if you are running RHEL and don't have a subscription that violates the EULA
are you planning to use RHEL on other servers beyond these when the hardware is EOL?
subscriptions are not tied to physical systems so if you renew for a year, you can later remove these systems from your subscription and assign new servers since you then have a subscription available
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 444 total points
ID: 40350219
Either change your shell from bash to dash (and any other shell links to bash) or download bash from source and compile it -- referencing /usr/local/bin/bash where today you reference /bin/bash after the installation is complete.
0
 
LVL 2

Assisted Solution

by:rusted_planet
rusted_planet earned 672 total points
ID: 40351358
Download the src rpm from redhats public website.  This is free under the gpl license.  Then do a rpmbuild --rebuild for the src rpm.  You may have to do this multiple times if there are dependancies.  The subscription for Redhat is a support contract for the OS nothing more, not the ability whether or not you can run the OS after your subscription expires.  That support includes the precompiled binary updates.  You are still free to continue running the OS and can manually download the src rpms from redhat and recompile them after your support runs out.  If anything breaks just dont ask for their help.  We clarified this with Redhat for one of our customers.

That being said if this is a commercial server just get support if possible.

Sean
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 62

Assisted Solution

by:gheist
gheist earned 664 total points
ID: 40352438
To stop piracy you have to convert to Oracle EL or CentOS yesterday...
(between the lines - centos and oracle packages if you know how to download them will fix the vulnerability when applied to your RHEL)
0
 
LVL 2

Assisted Solution

by:rusted_planet
rusted_planet earned 672 total points
ID: 40353383
Running your Redhat server with no support is not piracy (we have 1200 licenses and have had customers let support lapse and have asked Redhat these questions).  To read teh EULA go here:

http://www.redhat.com/f/pdf/licenses/GLOBAL_EULA_RHEL_English_20101110.pdf

You can also legally download SRPMS (source RPMS) from (the pub stands for public):

http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/

more specifically for the bash:

http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/bash-3.2-33.el5_11.4.src.rpm

You can then do a:

rpmbuild --rebuild bash-3.2-33.el5_11.4.src.rpm

Open in new window


This will probably give you warnings about other software you need installed.  And you will have to rebuild all the SRPM's needed.  Again this is perfectly legal, it is how OEL, scientific linux and CENTOS are built.  The GPL requires that the source code is released.  The Redhat contract is for support only.  You did not buy an OS from Redhat you bought support for that OS.  

That being said they are correct you should either get support for Redhat or switch to OEL or CENTOS, that will make your life a lot easier.

Sean
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 444 total points
ID: 40353393
Go here:

http://ftp.gnu.org/gnu/bash/

Download 4.3 and 4.3-patches.

Follow the directions to apply the patches, configure, compile and install.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40353961
Licencing: http://www.redhat.com/es/about/licenses (new as of 2013... it runs with subscription only....)
0
 
LVL 2

Accepted Solution

by:
rusted_planet earned 672 total points
ID: 40355578
Any concerns if you can still run Redhat after your subscription expires, then go to this url:

http://www.redhat.com/en/about/subscription

On the left click "How it works?"  look at the bottom and pay attention to this part:

What happens at the end of my subscription?

To continue to receive the benefits of your Red Hat subscriptions, you renew them so that all instances and installations of Red Hat software maintain an active subscription.

If all of your subscriptions expire and you have no other active subscriptions in your organization, you retain the right to use the software, but your entire environment will no longer receive any of the subscription benefits, including:

    The latest certified software versions.
    Security errata and bug fixes.
    Red Hat technical support.
    Access to the award-winning Customer Portal.
    Red Hat's Open Source Assurance.

We really did ask Redhat about this and they directed us to this page.  It is not piracy and you can legally keep running it.  You can even download their SRPMS and recompile and apply them.  Not a good business practice but is it 100% legal.  Hope this ends the clarification.
Thanks,

Sean
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 664 total points
ID: 40356302
What is cool they notified their paying customers that you should stop using unsubscribed systems without entitlement. Cheers, now go figure
0
 
LVL 5

Author Comment

by:ncomper
ID: 40356665
Thanks for all the support options Guys, RH of course never told me i could do any of the above but were happy to offer me subscription....

What i completed in the end was as follows:

  - Make an "/etc/yum.repos.d/centos.repo" file. Content's should look like this:

[CentOS_base]
name=CentOS-Base
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=os
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6
[CentOS_updates]
name=CentOS-Updates
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=updates
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6
[CentOSplus]
name=CentOS-Plus
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=centosplus
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6

 - Disable RHN yum plugin, edit "/etc/yum/pluginconf.d/rhnplugin.conf"
 - Change "enabled=1" to "enabled=0"

Run these commands:
yum clean all
yum update bash
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 664 total points
ID: 40356669
You should be using CentOS5 to match RHEL5, otherwise you enter the land of broken dependencies...
0

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question