Thanks Dan. I also found the same test and have been working through various servers updating bash. (In case other folk are unsure, on ubuntu its a matter of:
sudo apt-get update sudo apt-get install bash -- or -- sudo apt-get upgrade for a system wide package update.) Having said, with a minimal set of services running, not running cgi and not "exec-ing" from php, java or whatever web applications, there doesn't seem to be anything to be in a flat panic about. I just did a due diligence grep on dhis2 source and verified as far as I can see there is no place where we exec out to the shell. But we need all to still be vigilant and keep an eye on how attack vectors are emerging. On 26 September 2014 13:23, Dan <[email protected]> wrote: > Hi Bob, > > Yes, it's pretty serious most Linux distros already have a patch in place, > I recommend everyone using Linux at the very least update bash to the > latest version. There is a simple command you can run to check if your > system is vulnerable > env x='() { :;}; echo vulnerable' bash -c "echo this is a test" > > If the result is the following you are patched > --- > bash: warning: x: ignoring function definition attempt > bash: error importing function definition for `x' > this is a test > -- > > If you get the following you need to update: > ---- > vulnerable > this is a test > ---- > > > *Dan Cocos* > BAO Systems > www.baosystems.com > T: +1 202-352-2671 | skype: dancocos > > On Sep 25, 2014, at 6:56 PM, Bob Jolliffe <[email protected]> wrote: > > Has anybody had a chance to evaluate this yet? > -- > Mailing list: https://launchpad.net/~dhis2-devs-core > Post to : [email protected] > Unsubscribe : https://launchpad.net/~dhis2-devs-core > More help : https://help.launchpad.net/ListHelp > > >
-- Mailing list: https://launchpad.net/~dhis2-devs-core Post to : [email protected] Unsubscribe : https://launchpad.net/~dhis2-devs-core More help : https://help.launchpad.net/ListHelp
