Merge pull request #1588 from edx/cg/shellshock2

Updated to check for shellshock revisted

Merge pull request #1588 from edx/cg/shellshock2
Updated to check for shellshock revisted
22f63ea8 · John Jarvis · b2eefd08 · 111b7a35 · 22f63ea8
Commit 22f63ea8 authored Sep 26, 2014 by John Jarvis
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

playbooks/roles/security/tasks/security-ubuntu.yml
+6 -2

No files found.
--- a/playbooks/roles/security/tasks/security-ubuntu.yml
+++ b/playbooks/roles/security/tasks/security-ubuntu.yml
 #### Bash security vulnerability

 - name: Check if we are vulnerable
-  shell: executable=/bin/bash env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
+  shell: executable=/bin/bash chdir=/tmp env X='() { (a)=>\' bash -c "echo echo check"; [[ "$(cat echo)" == "check" ]] && echo "vulnerable"
  register: test_vuln
+  ignore_errors: yes

 - name: Apply bash security update if we are vulnerable
  apt: name=bash state=latest update_cache=true
  when: "'vulnerable' in test_vuln.stdout"

+- name: Delete check file
+  file: path=/tmp/echo state=absent
+
 - name: Check again and fail if we are still vulnerable
-  shell: executable=/bin/bash env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
+  shell: executable=/bin/bash chdir=/tmp env X='() { (a)=>\' bash -c "echo echo check"; [[ "$(cat echo)" == "check" ]] && echo "vulnerable"
  when: "'vulnerable' in test_vuln.stdout"
  register: test_vuln
  failed_when: "'vulnerable' in test_vuln.stdout"