EFA, ShellShock and CGI

General eFa discussion
Post Reply
operator207
Posts: 8
Joined: 06 May 2014 21:33

EFA, ShellShock and CGI

Post by operator207 » 25 Sep 2014 18:49


User avatar
darky83
Site Admin
Posts: 529
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: EFA, ShellShock and CGI

Post by darky83 » 25 Sep 2014 19:41

It is as any other linux/osx based system out there vulnerable.

However only for the SSH/Bash part, I have done some testing with the proof of concept vulnerability code and the CGI scripts are not vulnerable (pfew... :pray: )

So if you run your system wide open to the internet you should do an yum update as soon as possible as SSH is vulnerable.

Code: Select all

yum -y --exclude="kernel* mysql* postfix* mailscanner* clamav* clamd*" update
The CentOS bash partly fixes the current vulnerability for SSH, however the current patch is not complete (https://access.redhat.com/security/cve/CVE-2014-7169) and there is no complete fix as of yet for CentOS.

I hope they release one by tomorrow, by that time I will try to create an EFA update 3.0.0.6 (which will do nothing more than do an forced bash yum update)
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

operator207
Posts: 8
Joined: 06 May 2014 21:33

Re: EFA, ShellShock and CGI

Post by operator207 » 25 Sep 2014 19:52

Thanks for the quick reply!

I assumed BASH/SSH would be vulnerable (it is kind of hard for it not to be), I was mostly concerned with the CGI parts. Glad it isn't! :D

I will be spending the evening running updates on my small army of VMs. :)

Thanks!

User avatar
shawniverson
Posts: 2785
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: EFA, ShellShock and CGI

Post by shawniverson » 26 Sep 2014 21:50

Time for an update! We are working hard on getting 3.0.0.6 pushed out. Hopefully CentOS will be fully patched in time for our update to coincide ;)
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

dbator
Posts: 35
Joined: 20 Aug 2014 19:18

Re: EFA, ShellShock and CGI

Post by dbator » 30 Sep 2014 17:28

Sorry for the dumb question but just to verify... So by updating my EFA from 3.0.0.5 to 3.0.0.6, I do not have to run the yum update as it has the bash update incorporated into it?

User avatar
shawniverson
Posts: 2785
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: EFA, ShellShock and CGI

Post by shawniverson » 30 Sep 2014 23:27

That is correct, first thing EFA-Update does is call yum update for you with all of the exclusions needed. Bash will be patched :)
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

dbator
Posts: 35
Joined: 20 Aug 2014 19:18

Re: EFA, ShellShock and CGI

Post by dbator » 01 Oct 2014 13:27

Awesome thanks! I did the update last night. All is well :)

Post Reply