... back

Good news, everyone

To fix the shellshock bug you should install at least bash_4.3-9.2, but this does not work on squeeze due to the libc6 dependency


It is said this fix also works for wheezy and edge, but I only tested with squeeze.

First check if your system is vulnerable:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

Edit your /etc/apt/sources.list and add LTS packages:
deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib

Now upgrade your bash
$ apt-get install --only-upgrade bash
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libnet-daemon-perl libmysqlclient15off libterm-readkey-perl libplrpc-perl
Use 'apt-get autoremove' to remove them.
Suggested packages:
Recommended packages:
The following packages will be upgraded:
1 upgraded, 0 newly installed, 0 to remove and 69 not upgraded.
Need to get 1,328 kB of archives.
After this operation, 57.3 kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org/debian/ squeeze-lts/main bash amd64 4.1-3+deb6u2 [1,328 kB]
Fetched 1,328 kB in 1s (953 kB/s)
(Reading database ... 38170 files and directories currently installed.)
Preparing to replace bash 4.1-3 (using .../bash_4.1-3+deb6u2_amd64.deb) ...
Unpacking replacement bash ...
Processing triggers for man-db ...
Setting up bash (4.1-3+deb6u2) ...
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode.

Test your new bash version
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test