This is a proof-of-prinicple for patching OS X hosts for shell shock
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


This is a proof-of-prinicple to show that Ansible can be used to patch BASH on OS X

Specifically for CVE-2014-6271 and CVE-2014-7169

Work in this project is based off of the posting(s) of alblue -

Main reference is his evolving post

His post is marked as in the footer and so that license has be used here too.

This Ansible example is the work of elmccarthy and matthewlinks

If you are looking to adapt this for use you will need to ensure that you have

  • Ansible
  • SSH access to your OS X hosts
  • sudo access is required for Ansible to be able to swap out the bash and sh versions
  • the OS X hosts need to have Xcode installed

Setting up Ansible, SSH and sudo access is an exercise left to the reader.

As with most Ansible usage you will need to define your inventory of hosts (OSX-hosts below).

Once your inventory is configured you might check that the syntax is ok

ansible-playbook -i OSX-hosts shellshock.yml --syntax-check

Then you might confirm what the tasks that will be run are

ansible-playbook -i OSX-hosts shellshock.yml --list-tasks

And if you are sure that you want to run this then you could try

ansible-playbook -i OSX-hosts shellshock.yml