Solved

How to patch RedHat 5 for Shellshock without subscription

Posted on 2014-09-29
11
618 Views
Last Modified: 2014-10-24
Hi All,
     I need to patch some server for the ShellShock exploit but do not have the Subscription to pull it down direct. The servers are going EOL in December and i do not want to have to purchase the Subscription for 2 months, is there a way around this?

I have seen:
http://icewalkerz.blogspot.co.uk/2009/10/how-to-use-centos-repos-in-rhel-5.html
but when i run "yum-rhn-plugin" i get Failed on Dependencies

i can not find any iso downloads to install from CDrom, i might just be special here so anything you could offer would be appreciated
0
Comment
Question by:ncomper
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 55 total points
ID: 40350131
if you are running RHEL and don't have a subscription that violates the EULA
are you planning to use RHEL on other servers beyond these when the hardware is EOL?
subscriptions are not tied to physical systems so if you renew for a year, you can later remove these systems from your subscription and assign new servers since you then have a subscription available
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 111 total points
ID: 40350219
Either change your shell from bash to dash (and any other shell links to bash) or download bash from source and compile it -- referencing /usr/local/bin/bash where today you reference /bin/bash after the installation is complete.
0
 
LVL 2

Assisted Solution

by:rusted_planet
rusted_planet earned 168 total points
ID: 40351358
Download the src rpm from redhats public website.  This is free under the gpl license.  Then do a rpmbuild --rebuild for the src rpm.  You may have to do this multiple times if there are dependancies.  The subscription for Redhat is a support contract for the OS nothing more, not the ability whether or not you can run the OS after your subscription expires.  That support includes the precompiled binary updates.  You are still free to continue running the OS and can manually download the src rpms from redhat and recompile them after your support runs out.  If anything breaks just dont ask for their help.  We clarified this with Redhat for one of our customers.

That being said if this is a commercial server just get support if possible.

Sean
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 166 total points
ID: 40352438
To stop piracy you have to convert to Oracle EL or CentOS yesterday...
(between the lines - centos and oracle packages if you know how to download them will fix the vulnerability when applied to your RHEL)
0
 
LVL 2

Assisted Solution

by:rusted_planet
rusted_planet earned 168 total points
ID: 40353383
Running your Redhat server with no support is not piracy (we have 1200 licenses and have had customers let support lapse and have asked Redhat these questions).  To read teh EULA go here:

http://www.redhat.com/f/pdf/licenses/GLOBAL_EULA_RHEL_English_20101110.pdf

You can also legally download SRPMS (source RPMS) from (the pub stands for public):

http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/

more specifically for the bash:

http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/bash-3.2-33.el5_11.4.src.rpm

You can then do a:

rpmbuild --rebuild bash-3.2-33.el5_11.4.src.rpm

Open in new window


This will probably give you warnings about other software you need installed.  And you will have to rebuild all the SRPM's needed.  Again this is perfectly legal, it is how OEL, scientific linux and CENTOS are built.  The GPL requires that the source code is released.  The Redhat contract is for support only.  You did not buy an OS from Redhat you bought support for that OS.  

That being said they are correct you should either get support for Redhat or switch to OEL or CENTOS, that will make your life a lot easier.

Sean
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 111 total points
ID: 40353393
Go here:

http://ftp.gnu.org/gnu/bash/

Download 4.3 and 4.3-patches.

Follow the directions to apply the patches, configure, compile and install.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40353961
Licencing: http://www.redhat.com/es/about/licenses (new as of 2013... it runs with subscription only....)
0
 
LVL 2

Accepted Solution

by:
rusted_planet earned 168 total points
ID: 40355578
Any concerns if you can still run Redhat after your subscription expires, then go to this url:

http://www.redhat.com/en/about/subscription

On the left click "How it works?"  look at the bottom and pay attention to this part:

What happens at the end of my subscription?

To continue to receive the benefits of your Red Hat subscriptions, you renew them so that all instances and installations of Red Hat software maintain an active subscription.

If all of your subscriptions expire and you have no other active subscriptions in your organization, you retain the right to use the software, but your entire environment will no longer receive any of the subscription benefits, including:

    The latest certified software versions.
    Security errata and bug fixes.
    Red Hat technical support.
    Access to the award-winning Customer Portal.
    Red Hat's Open Source Assurance.

We really did ask Redhat about this and they directed us to this page.  It is not piracy and you can legally keep running it.  You can even download their SRPMS and recompile and apply them.  Not a good business practice but is it 100% legal.  Hope this ends the clarification.
Thanks,

Sean
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 166 total points
ID: 40356302
What is cool they notified their paying customers that you should stop using unsubscribed systems without entitlement. Cheers, now go figure
0
 
LVL 5

Author Comment

by:ncomper
ID: 40356665
Thanks for all the support options Guys, RH of course never told me i could do any of the above but were happy to offer me subscription....

What i completed in the end was as follows:

  - Make an "/etc/yum.repos.d/centos.repo" file. Content's should look like this:

[CentOS_base]
name=CentOS-Base
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=os
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6
[CentOS_updates]
name=CentOS-Updates
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=updates
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6
[CentOSplus]
name=CentOS-Plus
mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=centosplus
gpgcheck=1
enabled=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6

 - Disable RHN yum plugin, edit "/etc/yum/pluginconf.d/rhnplugin.conf"
 - Change "enabled=1" to "enabled=0"

Run these commands:
yum clean all
yum update bash
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 166 total points
ID: 40356669
You should be using CentOS5 to match RHEL5, otherwise you enter the land of broken dependencies...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now