1 Reply Latest reply on Oct 5, 2014 12:00 AM by Peter Massa

    How can I update bash on my Linux Servers via Landesk?


      I have installed v9.6 of the Landesk linux agent on my linux servers.  I have never distributed anything to a linux server via landesk and would like to leverage the shellshock exploit to start doing so.  Can anyone let me know how this can be done via Landesk?

        • 1. Re: How can I update bash on my Linux Servers via Landesk?
          Peter Massa Expert



          For Linux patching in general you can look at:

          Linux 64bit Patching


          This has a method to install a specific patch or all patches.  However if you do not want to use my method above, you could use the following script and put it in a custom definition.


          Detection Logic -> Custom Script:



          #set -x

          reason="Yum Check-Update Ran-Vulnerable to Shell Shock - Bash Patch"




          # To Test - uncomment below and enter one test device's name here - to patch all systems, re-comment out the below line.

          #if [[ $hostname == *enterhostnamehere* ]]; then


          # Check if vulnerable - if it is, update bash.  If not vulnerable echo Not Vulnerable and set the status as "patched".

          env x='() { :;}; yum -y update bash > /opt/landesk/vulscan-bash-patchlog.ini; RV=1' bash -c "echo Not Vulnerable; RV=0"


          #To Test - uncomment below fi line, to patch all systems - re-comment out the below line.



          if [ $RV -eq 1 ]; then

            echo "${reason}" >&1

            echo "Yum Check-Bash Update Ran" >&2


          exit $RV



          *Please test this before doing it in production - I literally just wrote it and do not know if I missed type anything or if there is a flaw.


          You would then apply this patch definition to the device you desire to patch for testing via the bolded and underlined above.  After testing is completed - re-comment those lines and all of your systems should get the patch if they are vulnerable.


          *Note: to scope which devices get this patch - I would advise applying a query filter to the custom definition detection rules.


          *Note: this will patch bash to the latest version.  The current shell shock patch does not require a reboot - but if your systems are out of date, a previous bash patch may require one.


          Please also see: Linux - Patching Bash - Latest CVE-2014-6278


          Hope this helps,