EFA, ShellShock and CGI

General E.F.A. discussion
Post Reply
operator207
Posts: 8
Joined: 06 May 2014 21:33

EFA, ShellShock and CGI

Post by operator207 » 25 Sep 2014 18:49


User avatar
darky83
Site Admin
Posts: 528
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: EFA, ShellShock and CGI

Post by darky83 » 25 Sep 2014 19:41

It is as any other linux/osx based system out there vulnerable.

However only for the SSH/Bash part, I have done some testing with the proof of concept vulnerability code and the CGI scripts are not vulnerable (pfew... :pray: )

So if you run your system wide open to the internet you should do an yum update as soon as possible as SSH is vulnerable.

Code: Select all

yum -y --exclude="kernel* mysql* postfix* mailscanner* clamav* clamd*" update
The CentOS bash partly fixes the current vulnerability for SSH, however the current patch is not complete (https://access.redhat.com/security/cve/CVE-2014-7169) and there is no complete fix as of yet for CentOS.

I hope they release one by tomorrow, by that time I will try to create an EFA update 3.0.0.6 (which will do nothing more than do an forced bash yum update)
E.F.A 3.0.2.6 update released

operator207
Posts: 8
Joined: 06 May 2014 21:33

Re: EFA, ShellShock and CGI

Post by operator207 » 25 Sep 2014 19:52

Thanks for the quick reply!

I assumed BASH/SSH would be vulnerable (it is kind of hard for it not to be), I was mostly concerned with the CGI parts. Glad it isn't! :D

I will be spending the evening running updates on my small army of VMs. :)

Thanks!

User avatar
shawniverson
Posts: 2611
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: EFA, ShellShock and CGI

Post by shawniverson » 26 Sep 2014 21:50

Time for an update! We are working hard on getting 3.0.0.6 pushed out. Hopefully CentOS will be fully patched in time for our update to coincide ;)
Version 3.0.2.6 released! Update now to keep your eFa secure!

dbator
Posts: 35
Joined: 20 Aug 2014 19:18

Re: EFA, ShellShock and CGI

Post by dbator » 30 Sep 2014 17:28

Sorry for the dumb question but just to verify... So by updating my EFA from 3.0.0.5 to 3.0.0.6, I do not have to run the yum update as it has the bash update incorporated into it?

User avatar
shawniverson
Posts: 2611
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: EFA, ShellShock and CGI

Post by shawniverson » 30 Sep 2014 23:27

That is correct, first thing EFA-Update does is call yum update for you with all of the exclusions needed. Bash will be patched :)
Version 3.0.2.6 released! Update now to keep your eFa secure!

dbator
Posts: 35
Joined: 20 Aug 2014 19:18

Re: EFA, ShellShock and CGI

Post by dbator » 01 Oct 2014 13:27

Awesome thanks! I did the update last night. All is well :)

Post Reply