Is EFA vulnerable to shellshock?
http://www.theregister.co.uk/2014/09/24 ... hell_vuln/
EFA, ShellShock and CGI
Re: EFA, ShellShock and CGI
It is as any other linux/osx based system out there vulnerable.
However only for the SSH/Bash part, I have done some testing with the proof of concept vulnerability code and the CGI scripts are not vulnerable (pfew... )
So if you run your system wide open to the internet you should do an yum update as soon as possible as SSH is vulnerable.
The CentOS bash partly fixes the current vulnerability for SSH, however the current patch is not complete (https://access.redhat.com/security/cve/CVE-2014-7169) and there is no complete fix as of yet for CentOS.
I hope they release one by tomorrow, by that time I will try to create an EFA update 3.0.0.6 (which will do nothing more than do an forced bash yum update)
However only for the SSH/Bash part, I have done some testing with the proof of concept vulnerability code and the CGI scripts are not vulnerable (pfew... )
So if you run your system wide open to the internet you should do an yum update as soon as possible as SSH is vulnerable.
Code: Select all
yum -y --exclude="kernel* mysql* postfix* mailscanner* clamav* clamd*" update
I hope they release one by tomorrow, by that time I will try to create an EFA update 3.0.0.6 (which will do nothing more than do an forced bash yum update)
Version eFa 4.x now available!
-
- Posts: 8
- Joined: 06 May 2014 21:33
Re: EFA, ShellShock and CGI
Thanks for the quick reply!
I assumed BASH/SSH would be vulnerable (it is kind of hard for it not to be), I was mostly concerned with the CGI parts. Glad it isn't!
I will be spending the evening running updates on my small army of VMs.
Thanks!
I assumed BASH/SSH would be vulnerable (it is kind of hard for it not to be), I was mostly concerned with the CGI parts. Glad it isn't!
I will be spending the evening running updates on my small army of VMs.
Thanks!
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: EFA, ShellShock and CGI
Time for an update! We are working hard on getting 3.0.0.6 pushed out. Hopefully CentOS will be fully patched in time for our update to coincide
Re: EFA, ShellShock and CGI
Sorry for the dumb question but just to verify... So by updating my EFA from 3.0.0.5 to 3.0.0.6, I do not have to run the yum update as it has the bash update incorporated into it?
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: EFA, ShellShock and CGI
That is correct, first thing EFA-Update does is call yum update for you with all of the exclusions needed. Bash will be patched
Re: EFA, ShellShock and CGI
Awesome thanks! I did the update last night. All is well