Matt Stauffer
Newsletter Podcasts Talks Articles Book
Sep 24, 2014 | laravel, forge

Laravel Forge - Fixing the CVE-2014-6271 Bash Vulnerability

Series

This is a series of posts on Laravel Forge.

!
Warning: This post is over a year old. I don't always update old posts with new information, so some of this information may be out of date.

What is it?

A dangerous vulnerability in bash, a shell that's enabled by default on pretty much every *nix ystem ever. Learn more here. In short, it's bad but it's wildly easy to fix.

How do I fix it?

UPDATE: Ubuntu released a patch to fix this vulnerability after I wrote this post, and since Forge auto-applies security fixes nightly, all Forge-managed servers are now safe. You can read on for fun, but you're now safe.

It's likely going to be automatically fixed in an Ubuntu security update soon, but if you want to manually update your Forge-managed servers (or any other Ubuntu servers)--I would recommend this--just SSH into your server and run the following:

$ sudo apt-get update && sudo apt-get install --only-upgrade bash

This will get an updated list of available packages (apt-get update) and then just upgrade bash. It wouldn't hurt to reboot your server afterwards, although it's not necessary--you can do this through Forge or by running sudo reboot on your server.

Not enough?:

Per this tweet, even this bash patch might not be ENOUGH--but it's better to apply and keep your eyes on the bug than to not apply.

Is my server vulnerable?

You can also run the following to check whether your server is even vulnerable:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see the following output, your server is vulnerable:

vulnerable
this is a test

If you see any other output, likely the following, your server is safe:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Comments? I'm @stauffermatt on Twitter

Tags: laravel  •  forge

This is part of a series of posts on Laravel Forge:

  2. Laravel Forge - Logging With Papertrail
    May 16, 2014 | forge, laravel, papertrail
  4. Laravel Forge - Adding a Queue Worker with Beanstalkd
    May 23, 2014 | laravel, forge, queue, beanstalkd
  5. Laravel Forge - Scheduling a Cron Job
    Jun 2, 2014 | laravel, forge, cron
  6. Laravel Forge - Adding an SSL Cert
    Jun 2, 2014 | forge, laravel, ssl
  7. Laravel Forge - Password Protect a Folder
    Jun 17, 2014 | forge, htpasswd, nginx
  8. Laravel Forge - Wildcard Subdomains
    Jun 23, 2014 | laravel, forge, subdomains
  9. Laravel Forge - Using Recipes
    Jul 9, 2014 | forge, laravel, recipes
  10. Laravel Forge - Hosting on AWS
    Jul 25, 2014 | laravel, forge, aws, hosting
  11. Laravel Forge - Forge Plus and Circles
    Sep 17, 2014 | laravel, forge
  14. Starting a blog with Sculpin on Laravel Forge
    Dec 24, 2014 | forge, sculpin, fiveMinuteGeekShow

Subscribe

For quick links to fresh content, and for more thoughts that don't make it to the blog.