Hallo zusammen,

nachdem ja die Bashlücke Shellshock sehr gravierend ist, sollte man die tunlichst schliessen.
Falls jemand zufällig Linux-Distributionen im Einsatz hat, die schon EOL sind, gibt's es auch
dafür keine Updates mehr.

Eine Alternative ist neukompilieren auf dem System. Z. B. mit diesen paar Befehlen:

Code:
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 1 28); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz 
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 1 28);do patch -p0 < ../bash43-$i; done
#build and install
./configure --prefix=/ && make && make install
cd .. 
cd ..
rm -r src
...oder schlicht das bash-static binary nehmen aus den debian-security updates. Das läuft aber nur, wenn der Kernel nicht zu alt ist.

Hier noch ein Script, dass die bashes auch auf vielen Servern verteilen kann.

Code:
#!/bin/bash

#
# script upgrades bash and is doing a little test before overwriting the real bash
#
# prerequisites:
#
# - Default user "root" for ssh
# - Key based authentication for remote root is set up
# - bash binaries /tmp/bash32 and /tmp/bash64 exist
# - a host file with one hostname per line
#

if [ "$#" -lt 1  ]; then
        echo "$(basename $0) : upgrade bash"
        echo
        echo "Usage: $(basename $0) [hosts-file]"
        echo "hosts-file : file with vms/dedicated servers, one per line"
        echo
        exit 1
fi

if [ -n "$1" ]; then
        if  [ -r "$1" ] ; then
                FILE="$1"
        else
                echo "Datei $2 nicht vorhanden/lesbar"
                exit 1
        fi
fi

if [ -f $FILE ]; then
        for host in $(cat $FILE);do
                printf "%-40s" "$host "
                if ping -c1 -w1 $host >/dev/null 2>&1 ;then
                        echo -n " ."
                        if ssh $host date >/dev/null 2>&1 ; then
                                echo  -n .
                                arch=$(ssh $host uname -m -o -r)
                                if ssh $host "env x='() { :;}; echo vulnerable' bash -c 'echo hello'"  2>/dev/null | grep -q vulnerable; then
                                        echo -n .
                                        #echo " vulnerable($arch)"
                                        if $(echo $arch | grep -qi linux) ; then
                                                if $(echo $arch | grep -qi x86_64) ; then
                                                        if rsync /tmp/bash64 $host:/tmp; then
                                                                echo -n .
                                                                if ssh $host /tmp/bash64 -c nix=0 2>/dev/null; then
                                                                        echo -n .
                                                                        if ssh $host mv /tmp/bash64 /bin/bash ;then
                                                                                echo -n .
                                                                                if ssh $host "env x='() { :;}; echo vulnerable' bash -c 'echo hello'"  2>/dev/null | grep -q vulnerable; then
                                                                                        echo "fix tried, but still vulnerable"
                                                                                else
                                                                                        echo "fixed successfully"
                                                                                fi
                                                                        else
                                                                                echo "Activating new bash failed on host"
                                                                        fi
                                                                else
                                                                        echo "fix not possible, bash binary not working on remote host"
                                                                fi
                                                        else
                                                        echo "copying new bash binary to remote host failed"
                                                        fi
                                                fi
                                                if $(echo $arch | grep -qi i[34567]86) ; then
                                                        if rsync /tmp/bash32 $host:/tmp; then
                                                                echo -n .
                                                                if ssh $host /tmp/bash32 -c nix=0 2>/dev/null; then
                                                                        echo -n .
                                                                        if ssh $host mv /tmp/bash32 /bin/bash ;then
                                                                                echo -n .
                                                                                if ssh $host "env x='() { :;}; echo vulnerable' bash -c 'echo hello'"  2>/dev/null | grep -q vulnerable; then
                                                                                        echo "fix tried, but still vulnerable"
                                                                                else
                                                                                        echo "fixed successfully"
                                                                                fi
                                                                        else
                                                                                echo "Activating new bash failed on host"
                                                                        fi
                                                                else
                                                                        echo "fix not possible, bash binary not working on remote host"
                                                                fi
                                                        else
                                                                echo "copying new bash binary to remote host failed"
                                                        fi
                                                fi
                                        else
                                                echo "Remote System not linux, skipping"
                                        fi

                                else
                                        echo " safe"
                                fi
                        else
                                echo " kein SSH-Auto-login"
                        fi

                else
                        echo " nicht erreichbar"
                fi

        done
else
        echo "Datei $FILE nicht gefunden"
fi