Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 711
  • Last Modified:

How to patch RedHat 5 for Shellshock without subscription

Hi All,
     I need to patch some server for the ShellShock exploit but do not have the Subscription to pull it down direct. The servers are going EOL in December and i do not want to have to purchase the Subscription for 2 months, is there a way around this?

I have seen:
http://icewalkerz.blogspot.co.uk/2009/10/how-to-use-centos-repos-in-rhel-5.html
but when i run "yum-rhn-plugin" i get Failed on Dependencies

i can not find any iso downloads to install from CDrom, i might just be special here so anything you could offer would be appreciated
0
ncomper
Asked:
ncomper
  • 4
  • 3
  • 2
  • +2
9 Solutions
 
Seth SimmonsSr. Systems AdministratorCommented:
if you are running RHEL and don't have a subscription that violates the EULA
are you planning to use RHEL on other servers beyond these when the hardware is EOL?
subscriptions are not tied to physical systems so if you renew for a year, you can later remove these systems from your subscription and assign new servers since you then have a subscription available
0
 
Jan SpringerCommented:
Either change your shell from bash to dash (and any other shell links to bash) or download bash from source and compile it -- referencing /usr/local/bin/bash where today you reference /bin/bash after the installation is complete.
0
 
rusted_planetCommented:
Download the src rpm from redhats public website.  This is free under the gpl license.  Then do a rpmbuild --rebuild for the src rpm.  You may have to do this multiple times if there are dependancies.  The subscription for Redhat is a support contract for the OS nothing more, not the ability whether or not you can run the OS after your subscription expires.  That support includes the precompiled binary updates.  You are still free to continue running the OS and can manually download the src rpms from redhat and recompile them after your support runs out.  If anything breaks just dont ask for their help.  We clarified this with Redhat for one of our customers.

That being said if this is a commercial server just get support if possible.

Sean
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
gheistCommented:
To stop piracy you have to convert to Oracle EL or CentOS yesterday...
(between the lines - centos and oracle packages if you know how to download them will fix the vulnerability when applied to your RHEL)
0
 
rusted_planetCommented:
Running your Redhat server with no support is not piracy (we have 1200 licenses and have had customers let support lapse and have asked Redhat these questions).  To read teh EULA go here:

http://www.redhat.com/f/pdf/licenses/GLOBAL_EULA_RHEL_English_20101110.pdf

You can also legally download SRPMS (source RPMS) from (the pub stands for public):

http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/

more specifically for the bash:

http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/bash-3.2-33.el5_11.4.src.rpm

You can then do a:

rpmbuild --rebuild bash-3.2-33.el5_11.4.src.rpm

Open in new window


This will probably give you warnings about other software you need installed.  And you will have to rebuild all the SRPM's needed.  Again this is perfectly legal, it is how OEL, scientific linux and CENTOS are built.  The GPL requires that the source code is released.  The Redhat contract is for support only.  You did not buy an OS from Redhat you bought support for that OS.  

That being said they are correct you should either get support for Redhat or switch to OEL or CENTOS, that will make your life a lot easier.

Sean
0
 
Jan SpringerCommented:
Go here:

http://ftp.gnu.org/gnu/bash/

Download 4.3 and 4.3-patches.

Follow the directions to apply the patches, configure, compile and install.
0
 
gheistCommented:
Licencing: http://www.redhat.com/es/about/licenses (new as of 2013... it runs with subscription only....)
0
 
rusted_planetCommented:
Any concerns if you can still run Redhat after your subscription expires, then go to this url:

http://www.redhat.com/en/about/subscription

On the left click "How it works?"  look at the bottom and pay attention to this part:

What happens at the end of my subscription?

To continue to receive the benefits of your Red Hat subscriptions, you renew them so that all instances and installations of Red Hat software maintain an active subscription.

If all of your subscriptions expire and you have no other active subscriptions in your organization, you retain the right to use the software, but your entire environment will no longer receive any of the subscription benefits, including:

    The latest certified software versions.
    Security errata and bug fixes.
    Red Hat technical support.
    Access to the award-winning Customer Portal.
    Red Hat's Open Source Assurance.

We really did ask Redhat about this and they directed us to this page.  It is not piracy and you can legally keep running it.  You can even download their SRPMS and recompile and apply them.  Not a good business practice but is it 100% legal.  Hope this ends the clarification.
Thanks,

Sean
0
 
gheistCommented:
What is cool they notified their paying customers that you should stop using unsubscribed systems without entitlement. Cheers, now go figure
0
 
ncomperAuthor Commented:
Thanks for all the support options Guys, RH of course never told me i could do any of the above but were happy to offer me subscription....

What i completed in the end was as follows:

  - Make an "/etc/yum.repos.d/centos.repo" file. Content's should look like this:

[CentOS_base]
name=CentOS-Base
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=os
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6
[CentOS_updates]
name=CentOS-Updates
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=updates
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6
[CentOSplus]
name=CentOS-Plus
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=centosplus
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6

 - Disable RHN yum plugin, edit "/etc/yum/pluginconf.d/rhnplugin.conf"
 - Change "enabled=1" to "enabled=0"

Run these commands:
yum clean all
yum update bash
0
 
gheistCommented:
You should be using CentOS5 to match RHEL5, otherwise you enter the land of broken dependencies...
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now