ShellShock, shock shock shock!

Update information      Edit(Sep.30)    Edit2(Oct.6)

   Have you coped with the threat from ShellShock, yet? My server is on Windows OS. Hence I think the vulnerability gives no effect to mine. But it’s a very serious one. NVD gave the impact score 10 to this. I have a CentOS 6.5 on my VMware, so I updated its bash to bash-4.1.2-15.el6_5.2.i686.

   If you still have the following messages after updating and doing env x='() { :;}; echo
vulnerable' bash -c "echo this is a test"
, your bash need more updating.
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for 'x'
this is a test

   I got the information form Masanari Iida’s comment on Red Hat Customer Portal.

   Several links which I am curious about, actually tons of articles about it on the Internet:

   By the way, I had the ShellShock attacks six times and blocked their IPs until yesterday, and today two more from other IPs until now on the Apache error log. I found that all of them my Apache returned HTTP Error Codes to.

   On “Bash bug: apply Florian’s patch now” he said “I very strongly recommend manually deploying Florian’s patch unless your distro is already shipping it.” and how to check the patch applied or not.

   When you do foo='() { echo not patched; }' bash -c foo within the shell, the patch is already applied if you have “command not found”. If you have “not patched”, your bash is still vulnerable.

   On its comment vdp wrote “These ‘toughen the feature’ patches still feel quite scary.” and a suggestion. I agree with him.

   Today, I’ve found this (Japanese).

   It says that it’s not enough to check the bash by the code foo='() { echo not patched; }'
bash -c foo
. Nonetheless, they have less critical than CVE-2014-6271 or CVE-2014-7169. But still dangerous.

Updating to PHP5.6.1.

   They released PHP5.6.1 Windows version on Sep-25 06:28:30UTC. Recently, Windows versions release earlier than other versions. So, I updated my PHP from 5.6.0 to 5.6.1 on my Web server (Windows7HP+SP1(x86)).

   There is no difference between the two php.ini-production files except a misspelling correction. So I replaced all files and copied my php.ini file to the folder. Then I restarted the httpd.exe.

   About OPcache bug is still remaining. But the above is my ordinary steps. So I thought “That’s it.”

   Buuuuuuuuuuuuuuuuuut I had very troubles at this time. First I found the warning “PHP Startup: in Unknown on line 0” on the Apache error log. Only this. It had no module name or anything else. But it was just a warning, i.e. that was a very little problem. And when I checked up the PHP information about PHP Version 5.6.1, I found out the php_curl.dll was not loaded. Boo-hoo-hoo!

   Finally I found out the solution after hard work for all day.
   I added “x:\PHP install directory” to PATH Environment Variable. I think, usually, most of PHP users added it when they first installed PHP. But I didn’t and I had no problem until today. I guessed this is the new requirement of PHP5.6.1 at the first time. However, after reading “the curl extension doesn’t load using apache” and seeing its date, I bet that this trouble maybe depends on Windows Security updates.

   Anyway, PHP5.6.1 is working well on the server.

   If you need more information for the configuration, see the post “Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows“.