dhis2-devs-core team mailing list archive

[Dan <dan@xxxxxxxxxxxx>]

On Redhat/CentOS the update command is 

sudo yum update bash


On Sep 26, 2014, at 10:08 AM, Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:

> Thanks Dan.  I also found the same test and have been working through various servers updating bash.  (In case other folk are unsure, on ubuntu its a matter of:
> 
> sudo apt-get update
> sudo apt-get install bash
> -- or --
> sudo apt-get upgrade 
> 
> for a system wide package update.)
> 
> Having said, with a minimal set of services running, not running cgi and not "exec-ing" from php, java or whatever web applications, there doesn't seem to be anything to be in a flat panic about.  I just did a due diligence grep on dhis2 source and verified as far as I can see there is no place where we exec out to the shell.
> 
> But we need all to still be vigilant and keep an eye on how attack vectors are emerging. 
> 
> 
> 
> On 26 September 2014 13:23, Dan <dan@xxxxxxxxxxxx> wrote:
> Hi Bob,
> 
> Yes, it’s pretty serious most Linux distros already have a patch in place, I recommend everyone using Linux at the very least update bash to the latest version. There is a simple command you can run to check if your system is vulnerable 
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> 
> If the result is the following you are patched
> ---
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
> this is a test
> —
> 
> If you get the following you need to update:
> ----
> vulnerable
> this is a test
> ----
> 
> 
> Dan Cocos
> BAO Systems
> www.baosystems.com
> T: +1 202-352-2671 | skype: dancocos
> 
> On Sep 25, 2014, at 6:56 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:
> 
>> Has anybody had a chance to evaluate this yet?
>> -- 
>> Mailing list: https://launchpad.net/~dhis2-devs-core
>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>> More help   : https://help.launchpad.net/ListHelp
> 
>