[Koha] [Security advisory] ... (CVE-2014-6271)

Riley Childs rchilds at cucawarriors.com
Sun Sep 28 05:23:02 NZDT 2014

Also note, that although koha itself is not an attack vector the system it is running on is (if it is a *nix) Ubuntu released a hardened fix for 10.04, 12.04, and 14.04, if you are running any other version of Ubuntu you need to upgrade to one of the above ASAP. Same goes for any other distro.
In general your OS should have an update pending right now, if your OS isn't EOL.

Riley Childs
Charlotte United Christian Academy
Library Services Administrator
IT Services
(704) 497-2086
From: Mark Tompsett<mailto:mtompset at hotmail.com>
Sent: ‎9/‎27/‎2014 12:04 PM
To: koha<mailto:koha at lists.katipo.co.nz>
Subject: Re: [Koha] [Security advisory] ... (CVE-2014-6271)


I know how many people just love the Live CDs/Live DVD's. This post may
apply to you too, depending on how the creator made it. Please confirm with
your creator, since it is unlikely that I (or anyone else other than the
creator) would know.

Mark Tompsett

-----Original Message-----
From: Tomas Cohen Arazi
Sent: Friday, September 26, 2014 5:43 PM
To: koha
Subject: [Koha] [Security advisory] For 'dev' installs (CVE-2014-6271)

A couple emails have been sent to the list on this regard (thanks Robin,
Chris and Steven).

It is important that you know that most Koha deployments are not exposed to
this vulnerability  (CVE-2014-6271
ONLY 'dev' installs are vulnerable.

In order to avoid this vulnerability, 'dev' installs should add the
following to their Apache virtualhost definitions:

RedirectMatch 403 \.sh$

If you don't know *where* to put this, mine looked like this (and yours
should too):

   Options +FollowSymLinks

   # If you are overriding any system preferences,
   # list them in this variable so the preference editor
   # knows that they have been overridden.
   # SetEnv OVERRIDE_SYSPREF_NAMES "Pref1,Pref2,Pref3"

   RedirectMatch 403 \.sh$

   ErrorDocument 400 /cgi-bin/koha/errors/400.pl

Please contact any of us in private (I prefer IRC) if you have more doubts
specific to your setup.


To sumarize:

- Know that Koha is not vulnerable to this bug on most of its deployment
  * Packages: SAFE
  * Source install (tar.gz/git/gitify):
     - standard: SAFE
     - single: SAFE
     - dev: UNSAFE
- Make sure your operating system has the latest bash update installed.
Just keep it updated, frecquently.
- There's a solution for 'dev' installs, the one above (add the
"RedirectMatch 403 \.sh$" line to your vhosts definition).


Tomás Cohen Arazi
Prosecretaría de Informática
Universidad Nacional de Córdoba
✆ +54 351 5353750 ext 13168
GPG: B76C 6E7C 2D80 551A C765  E225 0A27 2EA1 B2F3 C15F
Koha mailing list  http://koha-community.org
Koha at lists.katipo.co.nz

Koha mailing list  http://koha-community.org
Koha at lists.katipo.co.nz

More information about the Koha mailing list