[Koha] [Security advisory] ... (CVE-2014-6271)

Mark Tompsett mtompset at hotmail.com
Sun Sep 28 05:03:12 NZDT 2014


Greetings,

I know how many people just love the Live CDs/Live DVD's. This post may 
apply to you too, depending on how the creator made it. Please confirm with 
your creator, since it is unlikely that I (or anyone else other than the 
creator) would know.

GPML,
Mark Tompsett

-----Original Message----- 
From: Tomas Cohen Arazi
Sent: Friday, September 26, 2014 5:43 PM
To: koha
Subject: [Koha] [Security advisory] For 'dev' installs (CVE-2014-6271)

A couple emails have been sent to the list on this regard (thanks Robin,
Chris and Steven).

It is important that you know that most Koha deployments are not exposed to
this vulnerability  (CVE-2014-6271
<http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html>).
ONLY 'dev' installs are vulnerable.

In order to avoid this vulnerability, 'dev' installs should add the
following to their Apache virtualhost definitions:

RedirectMatch 403 \.sh$

If you don't know *where* to put this, mine looked like this (and yours
should too):

####
   Options +FollowSymLinks

   # If you are overriding any system preferences,
   # list them in this variable so the preference editor
   # knows that they have been overridden.
   # SetEnv OVERRIDE_SYSPREF_NAMES "Pref1,Pref2,Pref3"

   RedirectMatch 403 \.sh$

   ErrorDocument 400 /cgi-bin/koha/errors/400.pl
###

Please contact any of us in private (I prefer IRC) if you have more doubts
specific to your setup.

====

To sumarize:

- Know that Koha is not vulnerable to this bug on most of its deployment
forms:
  * Packages: SAFE
  * Source install (tar.gz/git/gitify):
     - standard: SAFE
     - single: SAFE
     - dev: UNSAFE
- Make sure your operating system has the latest bash update installed.
Just keep it updated, frecquently.
- There's a solution for 'dev' installs, the one above (add the
"RedirectMatch 403 \.sh$" line to your vhosts definition).

Regards

-- 
Tomás Cohen Arazi
Prosecretaría de Informática
Universidad Nacional de Córdoba
✆ +54 351 5353750 ext 13168
GPG: B76C 6E7C 2D80 551A C765  E225 0A27 2EA1 B2F3 C15F
_______________________________________________
Koha mailing list  http://koha-community.org
Koha at lists.katipo.co.nz
http://lists.katipo.co.nz/mailman/listinfo/koha 



More information about the Koha mailing list