Skip to content

Instantly share code, notes, and snippets.

@l0neranger

l0neranger/util-bash-vuln-upgrade.yml

Forked from srgvg/util-bash-vuln-upgrade.yml
Last active August 29, 2015 14:06
Show Gist options
  • Save l0neranger/73f8d1584a53da334e38 to your computer and use it in GitHub Desktop.
Save l0neranger/73f8d1584a53da334e38 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
util-bash-vuln-upgrade.yml
---
- hosts: all
gather_facts: true
name: CVE-2014-6271 - Bash Fix with Debian 6 Support
tasks:
- name: Add LTS to sources.list
lineinfile: >
dest=/etc/apt/sources.list
insertafter=EOF
state=present
backup=yes
regexp="{{ item.regexp }}"
line="{{ item.line }}"
with_items:
- { regexp: 'deb(.*)squeeze-lts(.*)', line: 'deb http://http.debian.net/debian/ squeeze-lts main contrib non-free' }
- { regexp: 'deb-src(.*)squeeze-lts(.*)', line: 'deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free' }
when: ansible_distribution_major_version|int==6
- name: Change release version to squeeze-lts
lineinfile: >
dest=/etc/apt/apt.conf.d/50squeezelts
state=present
backup=yes
create=yes
regexp="(.*)Default-Release(.*)"
line="APT::Default-Release "squeeze-lts";"
when: ansible_distribution_major_version|int==6
- name: check bash fix
command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
register: command_result
failed_when: False
changed_when: False
- name: update apt cache and upgrade bash
apt: >
state=latest
update_cache=yes
name=bash
when: "'error' not in command_result.stderr"
register: apt_update
- name: fix libs
command: /sbin/ldconfig
when: apt_update|changed
- name: check bash fix
command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
register: command_result
failed_when: command_result is defined and command_result.stderr.strip() != ""
changed_when: False
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment