Skip to content

Instantly share code, notes, and snippets.

@tonejito
Last active January 24, 2019 00:25
Show Gist options
  • Save tonejito/099c877ffa3b92c0c6777fb88a09d034 to your computer and use it in GitHub Desktop.
Save tonejito/099c877ffa3b92c0c6777fb88a09d034 to your computer and use it in GitHub Desktop.
Check @Debian and @ubuntu #GNU / @Linux for CVE-2019-3462 in APT
#!/bin/bash
# https://www.debian.org/security/2019/dsa-4371
# https://security-tracker.debian.org/tracker/CVE-2019-3462
function check()
{
dpkg --compare-versions ${1} ge ${2}
if [ "$?" -eq 0 ]
then
echo "OK"
else
alert ${OS_VENDOR} ${OS_RELEASE} ${APT_VERSION}
fi
}
function fail()
{
printf "Unknown GNU/Linux version (%s %s)" ${1} ${2}
}
function notice()
{
printf "apt not installed"
exit
}
function alert()
{
printf "Vulnerable version! (%s %s) (apt %s)" "${1}" "${2}" "${3}"
exit
}
which apt > /dev/null || notice
OS_VENDOR=$(lsb_release -si)
#OS_VERSION=$(cut -d . -f 1 /etc/debian_version)
OS_VERSION=$(lsb_release -sr | cut -d . -f 1)
OS_RELEASE=$(lsb_release -sc)
APT_VERSION=$(apt --version 2>/dev/null | head -n 1 | awk '{print $2}')
DEBIAN_8_APT_VERSION=1.0.9.8.5
DEBIAN_9_APT_VERSION=1.4.9
UBUNTU_12_APT_VERSION=0.8.16~exp12ubuntu10.28
UBUNTU_14_APT_VERSION=1.0.1ubuntu2.19
UBUNTU_16_APT_VERSION=1.2.29ubuntu0.1
UBUNTU_18_APT_VERSION=1.6.6ubuntu0.1
case ${OS_VENDOR}
in
Debian)
case ${OS_VERSION}
in
8)
check ${APT_VERSION} ${DEBIAN_8_APT_VERSION}
;;
9)
check ${APT_VERSION} ${DEBIAN_9_APT_VERSION}
;;
*)
fail ${OS_VENDOR} ${OS_RELEASE}
;;
esac
;;
Ubuntu)
case ${OS_VERSION}
in
12)
check ${APT_VERSION} ${UBUNTU_12_APT_VERSION}
;;
14)
check ${APT_VERSION} ${UBUNTU_14_APT_VERSION}
;;
16)
check ${APT_VERSION} ${UBUNTU_16_APT_VERSION}
;;
18)
check ${APT_VERSION} ${UBUNTU_18_APT_VERSION}
;;
*)
fail ${OS_VENDOR} ${OS_RELEASE}
;;
esac
;;
esac
- hosts: debian-8 , debian-9 , ubuntu-12 , ubuntu-14 , ubuntu-16 , ubuntu-18
become: no
tasks:
- name: Create scripts directory
file: dest=/opt/ansible/bin mode=755 owner=root group=staff state=directory
- name: Copy script to server
copy: src=check_CVE-2019-3462.sh dest=/opt/ansible/bin/check_CVE-2019-3462.sh mode=755 owner=root group=staff
- name: Check apt version
command: /opt/ansible/bin/check_CVE-2019-3462.sh
become: no
register: output
- debug: var=output.stdout_lines
[debian-8]
[debian-9]
[ubuntu-12]
[ubuntu-14]
[ubuntu-16]
[ubuntu-18]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment