Has the redhat patch been pushed through centos yet?

cesarb · on Sept 24, 2014

Apparently, no. When it does, it should appear at http://lists.centos.org/pipermail/centos-announce/2014-Septe... (if you admin CentOS servers, it can be a good idea to subscribe to that list).

skorgu · on Sept 24, 2014

Yes: http://lists.centos.org/pipermail/centos-announce/2014-Septe...

Verify your shasums before trusting a command line off the internet but:

rpm -Uvh http://mirror.centos.org/centos-6/6/updates/x86_64/Packages/... http://mirror.centos.org/centos-6/6/updates/x86_64/Packages/...

ck2 · on Sept 24, 2014

Looks like it works. I guess it is okay that after the close quote the command still runs even though it is not terminated

     env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
     bash: warning: x: ignoring function definition attempt
     bash: error importing function definition for `x'
     this is a test

Eiriksmal · on Sept 24, 2014

It's out by now for both Centos 6 and 7. Ironically, their Redhat brethren on the Fedora 20 project haven't released an update yet.

smsm42 · on Sept 25, 2014

My CentOS now says "ignoring function definition attempt" after the upgrade, so I assume CentOS update is now out.