Solved

How to patch RedHat 5 for Shellshock without subscription

Posted on 2014-09-29
11
635 Views
Last Modified: 2014-10-24
Hi All,
     I need to patch some server for the ShellShock exploit but do not have the Subscription to pull it down direct. The servers are going EOL in December and i do not want to have to purchase the Subscription for 2 months, is there a way around this?

I have seen:
http://icewalkerz.blogspot.co.uk/2009/10/how-to-use-centos-repos-in-rhel-5.html
but when i run "yum-rhn-plugin" i get Failed on Dependencies

i can not find any iso downloads to install from CDrom, i might just be special here so anything you could offer would be appreciated
0
Comment
Question by:ncomper
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 55 total points
ID: 40350131
if you are running RHEL and don't have a subscription that violates the EULA
are you planning to use RHEL on other servers beyond these when the hardware is EOL?
subscriptions are not tied to physical systems so if you renew for a year, you can later remove these systems from your subscription and assign new servers since you then have a subscription available
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 111 total points
ID: 40350219
Either change your shell from bash to dash (and any other shell links to bash) or download bash from source and compile it -- referencing /usr/local/bin/bash where today you reference /bin/bash after the installation is complete.
0
 
LVL 2

Assisted Solution

by:rusted_planet
rusted_planet earned 168 total points
ID: 40351358
Download the src rpm from redhats public website.  This is free under the gpl license.  Then do a rpmbuild --rebuild for the src rpm.  You may have to do this multiple times if there are dependancies.  The subscription for Redhat is a support contract for the OS nothing more, not the ability whether or not you can run the OS after your subscription expires.  That support includes the precompiled binary updates.  You are still free to continue running the OS and can manually download the src rpms from redhat and recompile them after your support runs out.  If anything breaks just dont ask for their help.  We clarified this with Redhat for one of our customers.

That being said if this is a commercial server just get support if possible.

Sean
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 62

Assisted Solution

by:gheist
gheist earned 166 total points
ID: 40352438
To stop piracy you have to convert to Oracle EL or CentOS yesterday...
(between the lines - centos and oracle packages if you know how to download them will fix the vulnerability when applied to your RHEL)
0
 
LVL 2

Assisted Solution

by:rusted_planet
rusted_planet earned 168 total points
ID: 40353383
Running your Redhat server with no support is not piracy (we have 1200 licenses and have had customers let support lapse and have asked Redhat these questions).  To read teh EULA go here:

http://www.redhat.com/f/pdf/licenses/GLOBAL_EULA_RHEL_English_20101110.pdf

You can also legally download SRPMS (source RPMS) from (the pub stands for public):

http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/

more specifically for the bash:

http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/bash-3.2-33.el5_11.4.src.rpm

You can then do a:

rpmbuild --rebuild bash-3.2-33.el5_11.4.src.rpm

Open in new window


This will probably give you warnings about other software you need installed.  And you will have to rebuild all the SRPM's needed.  Again this is perfectly legal, it is how OEL, scientific linux and CENTOS are built.  The GPL requires that the source code is released.  The Redhat contract is for support only.  You did not buy an OS from Redhat you bought support for that OS.  

That being said they are correct you should either get support for Redhat or switch to OEL or CENTOS, that will make your life a lot easier.

Sean
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 111 total points
ID: 40353393
Go here:

http://ftp.gnu.org/gnu/bash/

Download 4.3 and 4.3-patches.

Follow the directions to apply the patches, configure, compile and install.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40353961
Licencing: http://www.redhat.com/es/about/licenses (new as of 2013... it runs with subscription only....)
0
 
LVL 2

Accepted Solution

by:
rusted_planet earned 168 total points
ID: 40355578
Any concerns if you can still run Redhat after your subscription expires, then go to this url:

http://www.redhat.com/en/about/subscription

On the left click "How it works?"  look at the bottom and pay attention to this part:

What happens at the end of my subscription?

To continue to receive the benefits of your Red Hat subscriptions, you renew them so that all instances and installations of Red Hat software maintain an active subscription.

If all of your subscriptions expire and you have no other active subscriptions in your organization, you retain the right to use the software, but your entire environment will no longer receive any of the subscription benefits, including:

    The latest certified software versions.
    Security errata and bug fixes.
    Red Hat technical support.
    Access to the award-winning Customer Portal.
    Red Hat's Open Source Assurance.

We really did ask Redhat about this and they directed us to this page.  It is not piracy and you can legally keep running it.  You can even download their SRPMS and recompile and apply them.  Not a good business practice but is it 100% legal.  Hope this ends the clarification.
Thanks,

Sean
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 166 total points
ID: 40356302
What is cool they notified their paying customers that you should stop using unsubscribed systems without entitlement. Cheers, now go figure
0
 
LVL 5

Author Comment

by:ncomper
ID: 40356665
Thanks for all the support options Guys, RH of course never told me i could do any of the above but were happy to offer me subscription....

What i completed in the end was as follows:

  - Make an "/etc/yum.repos.d/centos.repo" file. Content's should look like this:

[CentOS_base]
name=CentOS-Base
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=os
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6
[CentOS_updates]
name=CentOS-Updates
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=updates
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6
[CentOSplus]
name=CentOS-Plus
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=centosplus
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6

 - Disable RHN yum plugin, edit "/etc/yum/pluginconf.d/rhnplugin.conf"
 - Change "enabled=1" to "enabled=0"

Run these commands:
yum clean all
yum update bash
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 166 total points
ID: 40356669
You should be using CentOS5 to match RHEL5, otherwise you enter the land of broken dependencies...
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question