How to patch RedHat 5 for Shellshock without subscription

Hi All,
     I need to patch some server for the ShellShock exploit but do not have the Subscription to pull it down direct. The servers are going EOL in December and i do not want to have to purchase the Subscription for 2 months, is there a way around this?

I have seen:
http://icewalkerz.blogspot.co.uk/2009/10/how-to-use-centos-repos-in-rhel-5.html
but when i run "yum-rhn-plugin" i get Failed on Dependencies

i can not find any iso downloads to install from CDrom, i might just be special here so anything you could offer would be appreciated
LVL 5
ncomperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
if you are running RHEL and don't have a subscription that violates the EULA
are you planning to use RHEL on other servers beyond these when the hardware is EOL?
subscriptions are not tied to physical systems so if you renew for a year, you can later remove these systems from your subscription and assign new servers since you then have a subscription available
Jan SpringerCommented:
Either change your shell from bash to dash (and any other shell links to bash) or download bash from source and compile it -- referencing /usr/local/bin/bash where today you reference /bin/bash after the installation is complete.
rusted_planetCommented:
Download the src rpm from redhats public website.  This is free under the gpl license.  Then do a rpmbuild --rebuild for the src rpm.  You may have to do this multiple times if there are dependancies.  The subscription for Redhat is a support contract for the OS nothing more, not the ability whether or not you can run the OS after your subscription expires.  That support includes the precompiled binary updates.  You are still free to continue running the OS and can manually download the src rpms from redhat and recompile them after your support runs out.  If anything breaks just dont ask for their help.  We clarified this with Redhat for one of our customers.

That being said if this is a commercial server just get support if possible.

Sean
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

gheistCommented:
To stop piracy you have to convert to Oracle EL or CentOS yesterday...
(between the lines - centos and oracle packages if you know how to download them will fix the vulnerability when applied to your RHEL)
rusted_planetCommented:
Running your Redhat server with no support is not piracy (we have 1200 licenses and have had customers let support lapse and have asked Redhat these questions).  To read teh EULA go here:

http://www.redhat.com/f/pdf/licenses/GLOBAL_EULA_RHEL_English_20101110.pdf

You can also legally download SRPMS (source RPMS) from (the pub stands for public):

http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/

more specifically for the bash:

http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/bash-3.2-33.el5_11.4.src.rpm

You can then do a:

rpmbuild --rebuild bash-3.2-33.el5_11.4.src.rpm

Open in new window


This will probably give you warnings about other software you need installed.  And you will have to rebuild all the SRPM's needed.  Again this is perfectly legal, it is how OEL, scientific linux and CENTOS are built.  The GPL requires that the source code is released.  The Redhat contract is for support only.  You did not buy an OS from Redhat you bought support for that OS.  

That being said they are correct you should either get support for Redhat or switch to OEL or CENTOS, that will make your life a lot easier.

Sean
Jan SpringerCommented:
Go here:

http://ftp.gnu.org/gnu/bash/

Download 4.3 and 4.3-patches.

Follow the directions to apply the patches, configure, compile and install.
gheistCommented:
Licencing: http://www.redhat.com/es/about/licenses (new as of 2013... it runs with subscription only....)
rusted_planetCommented:
Any concerns if you can still run Redhat after your subscription expires, then go to this url:

http://www.redhat.com/en/about/subscription

On the left click "How it works?"  look at the bottom and pay attention to this part:

What happens at the end of my subscription?

To continue to receive the benefits of your Red Hat subscriptions, you renew them so that all instances and installations of Red Hat software maintain an active subscription.

If all of your subscriptions expire and you have no other active subscriptions in your organization, you retain the right to use the software, but your entire environment will no longer receive any of the subscription benefits, including:

    The latest certified software versions.
    Security errata and bug fixes.
    Red Hat technical support.
    Access to the award-winning Customer Portal.
    Red Hat's Open Source Assurance.

We really did ask Redhat about this and they directed us to this page.  It is not piracy and you can legally keep running it.  You can even download their SRPMS and recompile and apply them.  Not a good business practice but is it 100% legal.  Hope this ends the clarification.
Thanks,

Sean

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
What is cool they notified their paying customers that you should stop using unsubscribed systems without entitlement. Cheers, now go figure
ncomperAuthor Commented:
Thanks for all the support options Guys, RH of course never told me i could do any of the above but were happy to offer me subscription....

What i completed in the end was as follows:

  - Make an "/etc/yum.repos.d/centos.repo" file. Content's should look like this:

[CentOS_base]
name=CentOS-Base
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=os
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6
[CentOS_updates]
name=CentOS-Updates
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=updates
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6
[CentOSplus]
name=CentOS-Plus
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=centosplus
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6

 - Disable RHN yum plugin, edit "/etc/yum/pluginconf.d/rhnplugin.conf"
 - Change "enabled=1" to "enabled=0"

Run these commands:
yum clean all
yum update bash
gheistCommented:
You should be using CentOS5 to match RHEL5, otherwise you enter the land of broken dependencies...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.