Hi all;
A significant vulnerability has been discovered in GNU Bash, which may
affect many servers whether or not they run LedgerSMB. If your system runs
GNU Bash (for example, running Linux, *BSD, or Cygwin), you should upgrade
as quickly as possible.
Having reviewed the vulnerability report and run some tests, it is clear
that LedgerSMB in the tested environments is not directly vulnerable except
in cases where a user is already logged into the administrative interface.
Because of the way CGI works, however, I cannot say anything specific about
other environments.
The following environments were reviewed and/or tested and confirmed
non-vulnerable by members of the core committee:
1. Installations over fastcgi using our standard plack wrappers.
2. Installations over starman using our standard plack wrappers.
3. CGI installations on Apache 2.4.
4. Nginx and spawn-fcgi
The vulnerability addresses how Bash processes environment variables. It
is present where a program spawns a "shell" which then sets up its
environment. While the implementation may be dependent on the operating
system, we do use system() to run some commands in the administrative
console. A strongly mitigating factor of course is this only happens after
an administrator is properly authenticated. In other words, this can only
happen once someone has authenticated to the point where he or she is
authorized to, among other things, grant access to your accounting database.
For this reason I would not treat this issue as having a significant impact
specifically on LedgerSMB installations, provided it is deployed on one of
the environments above. However, as many other portions of your system may
be more vulnerable, it is certainly worth correcting right away.
Additionally we cannot confirm that other environments are not vulnerable.
If you would like to confirm whether your own installation can be
exploited, you can download source code at http://shellshock.iecra.org/which
can be run via python against the login.pl in your LedgerSMB directory.
--
Best Wishes,
Chris Travers
Efficito: Hosted Accounting and ERP. Robust and Flexible. No vendor
lock-in.
http://www.efficito.com/learn_more
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Ledger-smb-users mailing list
Ledger-smb-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
