nbalonso.com

Shellsock Patching for Munki Admins

| Comments

Update: The Security Update 2014-005 now patches shellshock, so you won’t be needing this.

On the night of September 29th Apple released three updates for the latest versions of OS X to fix the famous Shellshock vulnerability.

As soon as it was released all the Mac admins started to inform tell each other (as always thanks for the heads up!) and one of the most common responses I read in twitter and IRC was

“oh! but I don’t see it in my SUS. Is it not a security update?”

Short and straight answer is

“No. deal with it”

So as soon as I got on hold of the packages, I imported them into my Munki and started to apply the fix, which doesn’t even require a restart and you can install silently with no undesired effects (to my knowledge).

Here my three pkginfos

BashUpdateLion-1.0.1.1306847324.pkginfo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>autoremove</key>
    <false/>
    <key>unattended_install</key>
    <true/>
    <key>catalogs</key>
    <array>
      <string>common</string>
    </array>
    <key>category</key>
    <string>Business</string>
    <key>description</key>
    <string>This update fixes a security flaw in the bash UNIX shell.

    For more information on the security content of this update, see http://support.apple.com/kb/HT1222.</string>
    <key>developer</key>
    <string>Apple</string>
    <key>display_name</key>
    <string>OS X bash Update</string>
    <key>icon_name</key>
    <string>Generic.png</string>
    <key>installed_size</key>
    <integer>3906</integer>
    <key>installer_item_hash</key>
    <string>7d90d7a70fdfe7464207345848377b3a2f5df1067a89cac7ce0abc5ff0003c52</string>
    <key>installer_item_location</key>
    <string>Apple/BashUpdateLion-1.0.1.1306847324.pkg</string>
    <key>installer_item_size</key>
    <integer>3310</integer>
    <key>minimum_os_version</key>
    <string>10.7.5</string>
    <key>name</key>
    <string>BashUpdateLion</string>
    <key>receipts</key>
    <array>
      <dict>
        <key>installed_size</key>
        <integer>6010</integer>
        <key>packageid</key>
        <string>com.apple.pkg.update.os.bash.lion.1.0.163-3</string>
        <key>version</key>
        <string>1.0.1.1306847324</string>
      </dict>
    </array>
    <key>uninstall_method</key>
    <string>removepackages</string>
    <key>uninstallable</key>
    <false/>
    <key>version</key>
    <string>1.0.1.1306847324</string>
  </dict>
</plist>

BashUpdateMountainLion-1.0.0.0.1.1306847324.pkginfo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>autoremove</key>
  <false/>
  <key>unattended_install</key>
  <true/>
  <key>catalogs</key>
  <array>
    <string>common</string>
  </array>
  <key>category</key>
  <string>Business</string>
  <key>description</key>
  <string>This update fixes a security flaw in the bash UNIX shell.

For more information on the security content of this update, see http://support.apple.com/kb/HT1222.</string>
  <key>developer</key>
  <string>Apple</string>
  <key>display_name</key>
  <string>OS X bash Update</string>
  <key>icon_name</key>
  <string>Generic.png</string>
  <key>installed_size</key>
  <integer>3859</integer>
  <key>installer_item_hash</key>
  <string>d5d12742d1e1ca6e46842467fcf503a824f8abcb4e460a1f33fbfd8a5c7ece52</string>
  <key>installer_item_location</key>
  <string>Apple/BashUpdateMountainLion-1.0.0.0.1.1306847324.pkg</string>
  <key>installer_item_size</key>
  <integer>3182</integer>
  <key>minimum_os_version</key>
  <string>10.8.5</string>
  <key>name</key>
  <string>BashUpdateMountainLion</string>
  <key>receipts</key>
  <array>
    <dict>
      <key>installed_size</key>
      <integer>5938</integer>
      <key>packageid</key>
      <string>com.apple.pkg.update.os.bash.mountainlion.1.0.58.0.30-3</string>
      <key>version</key>
      <string>1.0.0.0.1.1306847324</string>
    </dict>
  </array>
  <key>uninstall_method</key>
  <string>removepackages</string>
  <key>uninstallable</key>
  <false/>
  <key>version</key>
  <string>1.0.0.0.1.1306847324</string>
</dict>
</plist>

BashUpdateMavericks-1.0.0.0.1.1306847324.pkginfo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>autoremove</key>
  <false/>
  <key>unattended_install</key>
  <true/>
  <key>catalogs</key>
  <array>
    <string>common</string>
  </array>
  <key>category</key>
  <string>Business</string>
  <key>description</key>
  <string>This update fixes a security flaw in the bash UNIX shell.

For more information on the security content of this update, see http://support.apple.com/kb/HT1222.</string>
  <key>developer</key>
  <string>Apple</string>
  <key>display_name</key>
  <string>OS X bash Update</string>
  <key>icon_name</key>
  <string>Generic.png</string>
  <key>installed_size</key>
  <integer>3724</integer>
  <key>installer_item_hash</key>
  <string>1ec1d1644e1e023cd75d43cfc872f83b2e7ec0b042a05e2c109305252864da42</string>
  <key>installer_item_location</key>
  <string>Apple/BashUpdateMavericks-1.0.0.0.1.1306847324.pkg</string>
  <key>installer_item_size</key>
  <integer>3231</integer>
  <key>minimum_os_version</key>
  <string>10.9.5</string>
  <key>name</key>
  <string>BashUpdateMavericks</string>
  <key>receipts</key>
  <array>
    <dict>
      <key>installed_size</key>
      <integer>5730</integer>
      <key>packageid</key>
      <string>com.apple.pkg.update.os.bash.mavericks.1.0.2.1.15.24-3</string>
      <key>version</key>
      <string>1.0.0.0.1.1306847324</string>
    </dict>
  </array>
  <key>uninstall_method</key>
  <string>removepackages</string>
  <key>uninstallable</key>
  <false/>
  <key>version</key>
  <string>1.0.0.0.1.1306847324</string>
</dict>
</plist>

Then this would go in the specific(s) manifest

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<key>conditional_items</key>
<array>
  <dict>
    <key>condition</key>
    <string>os_vers == "10.7.5"</string>
    <key>managed_installs</key>
    <array>
      <string>BashUpdateLion</string>
    </array>
  </dict>
  <dict>
    <key>condition</key>
    <string>os_vers == "10.8.5"</string>
    <key>managed_installs</key>
    <array>
      <string>BashUpdateMountainLion</string>
    </array>
  </dict>
  <dict>
    <key>condition</key>
    <string>os_vers == "10.9.5"</string>
    <key>managed_installs</key>
    <array>
      <string>BashUpdateMavericks</string>
    </array>
  </dict>
</array>

With these, so far after more than a thousand systems have been patched I have not heard any complain, even if they had the terminal open :)

PS: There is one thing that can potentially go wrong with these. If Apple decides to release a cumulative security patch, if that patch does not increase the system version, if your systems get that cumulative patch _before_ this bash update, and if this bash updates fail to install due to the system being already up-to-date and the pkg receipt does not stick in the clients’ that would make your Munki clients report install failures and loop trying to install them again and again.

It is unlikely, but can happen. So make sure you review this if the day comes

Comments