dhis2-devs-core team mailing list archive

[Bob Jolliffe <bobjolliffe@xxxxxxxxx>]

Thanks Dan.  I also found the same test and have been working through
various servers updating bash.  (In case other folk are unsure, on ubuntu
its a matter of:

sudo apt-get update
sudo apt-get install bash
-- or --
sudo apt-get upgrade

for a system wide package update.)

Having said, with a minimal set of services running, not running cgi and
not "exec-ing" from php, java or whatever web applications, there doesn't
seem to be anything to be in a flat panic about.  I just did a due
diligence grep on dhis2 source and verified as far as I can see there is no
place where we exec out to the shell.

But we need all to still be vigilant and keep an eye on how attack vectors
are emerging.



On 26 September 2014 13:23, Dan <dan@xxxxxxxxxxxx> wrote:

> Hi Bob,
>
> Yes, it's pretty serious most Linux distros already have a patch in place,
> I recommend everyone using Linux at the very least update bash to the
> latest version. There is a simple command you can run to check if your
> system is vulnerable
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>
> If the result is the following you are patched
> ---
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
> this is a test
> --
>
> If you get the following you need to update:
> ----
> vulnerable
> this is a test
> ----
>
>
> *Dan Cocos*
> BAO Systems
> www.baosystems.com
> T: +1 202-352-2671 | skype: dancocos
>
> On Sep 25, 2014, at 6:56 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:
>
> Has anybody had a chance to evaluate this yet?
> --
> Mailing list: https://launchpad.net/~dhis2-devs-core
> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs-core
> More help   : https://help.launchpad.net/ListHelp
>
>
>