Skip to Content.
Sympa Menu

perfsonar-announce - Shellshock Update (Weds 10/1)

Subject: perfSONAR Announcements

List archive

Shellshock Update (Weds 10/1)


Chronological Thread 
  • From: Jason Zurawski <>
  • To: "" <>, perfsonar-announce <>
  • Cc: "" <>
  • Subject: Shellshock Update (Weds 10/1)
  • Date: Wed, 1 Oct 2014 20:19:45 -0400

Greetings;

As of Weds evening, there has not been an announcement of additional
vulnerabilities or patches from our upstream operating system provider. For
those keeping track at home, the best resource from Redhat on this issue can
be found in these locations:

https://access.redhat.com/announcements/1210053
https://access.redhat.com/articles/1200223

There were 6 CVEs total announced:

> CVE-2014-6271
> CVE-2014-6277
> CVE-2014-6278
> CVE-2014-7169
> CVE-2014-7186
> CVE-2014-7187

These link back to two specific errata pages that apply to the version of
CentOS the perfSONAR toolkit is based on:

https://rhn.redhat.com/errata/RHSA-2014-1293.html
https://rhn.redhat.com/errata/RHSA-2014-1306.html

CVE 6271 was addressed with the 1st RPM. CVEs 7169, 7186, and 7187 were
addressed with the 2nd RPM. The two unaccounted for CVEs (6277 and 6278)
have this statement on their pages:

> Technical details of this flaw are currently not public. Red Hat believes
> that changes introduced via updates RHSA-2014:1306, RHSA-2014:1311, and
> RHSA-2014:1312 that prevent Bash from defining new functions based on
> arbitrary environment variables sufficiently mitigate this issue. This
> statement will be updated once more details are available.

While this doesn't have the feeling of 'final', it appears things are stable
for the time being. We will continue to monitor the situation.

The perfSONAR project would like to remind everyone to stay on top of
patching (and if you haven't run yum update to pull in the bash changes, or
our own mitigations to reduce the risk footprint in using bash) please do so
immediately (for users of v 3.3 and the 3.4 RCs). For those that are still
using the LiveCD, a new build is available, but we hope the recent events
will help to convince that the LiveCD use case should be considered
carefully.

Please let us know if there are other questions or concerns:


Thanks;

-jason

  • Shellshock Update (Weds 10/1), Jason Zurawski, 10/02/2014

Archive powered by MHonArc 2.6.16.

Top of Page