Hello Trev; Am Donnerstag, 2. Oktober 2014, 09:17:08 schrieb Trev Peterson: > Hello, > > I can confirm that on my LEAF bering uclibc 4.3.3 routers the bash > shellshock vulnerability exists. I have the bash.lrp package installed > and the vulnerability lives there from my understanding (busybox is not > vulnerable). I haven't tested this in any later versions but I suspect > the vulnerability is present in many of them as well. Is there an > updated bash.lrp to resolve this? This is a serious vulnerability and > users of webservers in particular should be extra careful.
Patches for bash has been committed to git repository the last days for upcoming 5.1.2-beta1. > It's a testament to the great work in leaf that these old firewalls are > still in service many years (some almost 10 years now, bering 2.x > anyone?) after install. Let me know if I can help test or facilitate > the bash.lrp package update if one doesn't exist to address this > security issue yet. Thanks, Phew, I doubt I even can build 2.x from sources :) For reasons of reasons versions before 5.1 are no longer maintained and should be considered as insecure "by nature". If there is urgent need, I'll try to update bash.lrp for 5.0, but I suggest either to update to 5.1.2-beta once it's released or to replace bash with busybox shell (i.e removing bash.lrp from leaf.cfg). kp ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
