A couple emails have been sent to the list on this regard (thanks Robin, Chris and Steven). It is important that you know that most Koha deployments are not exposed to this vulnerability (CVE-2014-6271 <http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html>). ONLY 'dev' installs are vulnerable. In order to avoid this vulnerability, 'dev' installs should add the following to their Apache virtualhost definitions: RedirectMatch 403 \.sh$ If you don't know *where* to put this, mine looked like this (and yours should too): #### Options +FollowSymLinks # If you are overriding any system preferences, # list them in this variable so the preference editor # knows that they have been overridden. # SetEnv OVERRIDE_SYSPREF_NAMES "Pref1,Pref2,Pref3" RedirectMatch 403 \.sh$ ErrorDocument 400 /cgi-bin/koha/errors/400.pl ### Please contact any of us in private (I prefer IRC) if you have more doubts specific to your setup. ==== To sumarize: - Know that Koha is not vulnerable to this bug on most of its deployment forms: * Packages: SAFE * Source install (tar.gz/git/gitify): - standard: SAFE - single: SAFE - dev: UNSAFE - Make sure your operating system has the latest bash update installed. Just keep it updated, frecquently. - There's a solution for 'dev' installs, the one above (add the "RedirectMatch 403 \.sh$" line to your vhosts definition). Regards -- Tomás Cohen Arazi Prosecretaría de Informática Universidad Nacional de Córdoba ✆ +54 351 5353750 ext 13168 GPG: B76C 6E7C 2D80 551A C765 E225 0A27 2EA1 B2F3 C15F