Page 1 of 1
EFA, ShellShock and CGI
Posted: 25 Sep 2014 18:49
by operator207
Re: EFA, ShellShock and CGI
Posted: 25 Sep 2014 19:41
by darky83
It is as any other linux/osx based system out there vulnerable.
However only for the SSH/Bash part, I have done some testing with the proof of concept vulnerability code and the CGI scripts are not vulnerable (pfew...
)
So if you run your system wide open to the internet you should do an yum update as soon as possible as SSH is vulnerable.
Code: Select all
yum -y --exclude="kernel* mysql* postfix* mailscanner* clamav* clamd*" update
The CentOS bash partly fixes the current vulnerability for SSH, however the current patch is not complete (
https://access.redhat.com/security/cve/CVE-2014-7169) and there is no complete fix as of yet for CentOS.
I hope they release one by tomorrow, by that time I will try to create an EFA update 3.0.0.6 (which will do nothing more than do an forced bash yum update)
Re: EFA, ShellShock and CGI
Posted: 25 Sep 2014 19:52
by operator207
Thanks for the quick reply!
I assumed BASH/SSH would be vulnerable (it is kind of hard for it not to be), I was mostly concerned with the CGI parts. Glad it isn't!
I will be spending the evening running updates on my small army of VMs.
Thanks!
Re: EFA, ShellShock and CGI
Posted: 26 Sep 2014 21:50
by shawniverson
Time for an update! We are working hard on getting 3.0.0.6 pushed out. Hopefully CentOS will be fully patched in time for our update to coincide
Re: EFA, ShellShock and CGI
Posted: 30 Sep 2014 17:28
by dbator
Sorry for the dumb question but just to verify... So by updating my EFA from 3.0.0.5 to 3.0.0.6, I do not have to run the yum update as it has the bash update incorporated into it?
Re: EFA, ShellShock and CGI
Posted: 30 Sep 2014 23:27
by shawniverson
That is correct, first thing EFA-Update does is call yum update for you with all of the exclusions needed. Bash will be patched
Re: EFA, ShellShock and CGI
Posted: 01 Oct 2014 13:27
by dbator
Awesome thanks! I did the update last night. All is well