On 27/09/2014, at 02:28 , Steven Nickerson wrote:

With the finding of the most recent "Shellshock" vulnerability with the BASH shell, I'm wondering If Koha uses the BASH shell in any way? I'm pretty sure it does not, but just wanted to make sure. I realize that the Linux system Koha is running on likely has the BASH shell that probably has the vulnerability, but I'm just trying to ascertain if a potential hacker could get to system through the Koha application.

Short version, as Robin and Chris mentioned earlier, now is the time to do your security updates on your server. As far as anyone has said, there aren't any known. But, Koha and its cron jobs can't operate in isolation from the shell *and* is very unlikely that your linux server does not have bash. There are already debs for debian and ubuntu available. -ramon. (No this doesn't mean you have to update Koha at the same time)

At 02:28 PM 9/26/2014 -0400, Steven Nickerson wrote:

With the finding of the most recent "Shellshock" vulnerability with the BASH shell, I'm wondering If Koha uses the BASH shell in any way? I'm pretty sure it does not, but just wanted to make sure. I realize that the Linux system Koha is running on likely has the BASH shell that probably has the vulnerability, but I'm just trying to ascertain if a potential hacker could get to system through the Koha application.

It's fairly trivial (less than a minute per box Debian/Ubuntu; surely RHEL has something equivalent) to install the (perhaps not final) patch: apt-get install bash Then verify with: env x='() { :;}; echo vulnerable' bash -c 'echo hello' Best -- Paul