[Koha] [Security advisory] For 'dev' installs (CVE-2014-6271)

Tomas Cohen Arazi tomascohen at gmail.com
Sat Sep 27 09:43:50 NZST 2014


A couple emails have been sent to the list on this regard (thanks Robin,
Chris and Steven).

It is important that you know that most Koha deployments are not exposed to
this vulnerability  (CVE-2014-6271
<http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html>).
ONLY 'dev' installs are vulnerable.

In order to avoid this vulnerability, 'dev' installs should add the
following to their Apache virtualhost definitions:

RedirectMatch 403 \.sh$

If you don't know *where* to put this, mine looked like this (and yours
should too):

####
   Options +FollowSymLinks

   # If you are overriding any system preferences,
   # list them in this variable so the preference editor
   # knows that they have been overridden.
   # SetEnv OVERRIDE_SYSPREF_NAMES "Pref1,Pref2,Pref3"

   RedirectMatch 403 \.sh$

   ErrorDocument 400 /cgi-bin/koha/errors/400.pl
###

Please contact any of us in private (I prefer IRC) if you have more doubts
specific to your setup.

====

To sumarize:

- Know that Koha is not vulnerable to this bug on most of its deployment
forms:
  * Packages: SAFE
  * Source install (tar.gz/git/gitify):
     - standard: SAFE
     - single: SAFE
     - dev: UNSAFE
- Make sure your operating system has the latest bash update installed.
Just keep it updated, frecquently.
- There's a solution for 'dev' installs, the one above (add the
"RedirectMatch 403 \.sh$" line to your vhosts definition).

Regards

-- 
Tomás Cohen Arazi
Prosecretaría de Informática
Universidad Nacional de Córdoba
✆ +54 351 5353750 ext 13168
GPG: B76C 6E7C 2D80 551A C765  E225 0A27 2EA1 B2F3 C15F


More information about the Koha mailing list