Page 1 of 1

EFA, ShellShock and CGI

Posted: 25 Sep 2014 18:49
by operator207

Re: EFA, ShellShock and CGI

Posted: 25 Sep 2014 19:41
by darky83
It is as any other linux/osx based system out there vulnerable.

However only for the SSH/Bash part, I have done some testing with the proof of concept vulnerability code and the CGI scripts are not vulnerable (pfew... :pray: )

So if you run your system wide open to the internet you should do an yum update as soon as possible as SSH is vulnerable.

Code: Select all

yum -y --exclude="kernel* mysql* postfix* mailscanner* clamav* clamd*" update
The CentOS bash partly fixes the current vulnerability for SSH, however the current patch is not complete (https://access.redhat.com/security/cve/CVE-2014-7169) and there is no complete fix as of yet for CentOS.

I hope they release one by tomorrow, by that time I will try to create an EFA update 3.0.0.6 (which will do nothing more than do an forced bash yum update)

Re: EFA, ShellShock and CGI

Posted: 25 Sep 2014 19:52
by operator207
Thanks for the quick reply!

I assumed BASH/SSH would be vulnerable (it is kind of hard for it not to be), I was mostly concerned with the CGI parts. Glad it isn't! :D

I will be spending the evening running updates on my small army of VMs. :)

Thanks!

Re: EFA, ShellShock and CGI

Posted: 26 Sep 2014 21:50
by shawniverson
Time for an update! We are working hard on getting 3.0.0.6 pushed out. Hopefully CentOS will be fully patched in time for our update to coincide ;)

Re: EFA, ShellShock and CGI

Posted: 30 Sep 2014 17:28
by dbator
Sorry for the dumb question but just to verify... So by updating my EFA from 3.0.0.5 to 3.0.0.6, I do not have to run the yum update as it has the bash update incorporated into it?

Re: EFA, ShellShock and CGI

Posted: 30 Sep 2014 23:27
by shawniverson
That is correct, first thing EFA-Update does is call yum update for you with all of the exclusions needed. Bash will be patched :)

Re: EFA, ShellShock and CGI

Posted: 01 Oct 2014 13:27
by dbator
Awesome thanks! I did the update last night. All is well :)