Thanks, I've already removed bash from the leaf.cfg. I just hadn't seen any news hit the list and wanted to make sure people were aware of the issue. Thanks for the quick reply and the good work. It sounds like you already tested but if I can help in another way let me know. Thanks,
On Sat, 2014-10-04 at 20:36 +0200, kp kirchdoerfer wrote: > Hello Trev; > > Am Donnerstag, 2. Oktober 2014, 09:17:08 schrieb Trev Peterson: > > Hello, > > > > I can confirm that on my LEAF bering uclibc 4.3.3 routers the bash > > shellshock vulnerability exists. I have the bash.lrp package installed > > and the vulnerability lives there from my understanding (busybox is not > > vulnerable). I haven't tested this in any later versions but I suspect > > the vulnerability is present in many of them as well. Is there an > > updated bash.lrp to resolve this? This is a serious vulnerability and > > users of webservers in particular should be extra careful. > > Patches for bash has been committed to git repository the last days for > upcoming 5.1.2-beta1. > > > It's a testament to the great work in leaf that these old firewalls are > > still in service many years (some almost 10 years now, bering 2.x > > anyone?) after install. Let me know if I can help test or facilitate > > the bash.lrp package update if one doesn't exist to address this > > security issue yet. Thanks, > > Phew, I doubt I even can build 2.x from sources :) > > For reasons of reasons versions before 5.1 are no longer maintained and > should > be considered as insecure "by nature". > > If there is urgent need, I'll try to update bash.lrp for 5.0, but I suggest > either to update to 5.1.2-beta once it's released or to replace bash with > busybox shell (i.e removing bash.lrp from leaf.cfg). > > kp > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > ------------------------------------------------------------------------ > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ -- Trev Peterson Advanced Reality Email: t...@advanced-reality.com Phone: +1 847 406 9018 ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
