How we protect against the ShellShock bug

A severe security issue in the bash shell dubbed ShellShock has been published on last Wednesday and has been mentioned in mainstream media. The bash version running at Flying Circus was vulnerable, but we have rolled out a security patch on Thursday. This means that our systems are reasonably safe again.

With help of the ShellShock bug, attackers can gain access to bash through remote exploits. If successful, attackers would have the same privileges as logged in users (for example via SSH) and could easily compromise applications. Since bash is virtually everywhere on UNIX/Linux systems, it is very hard to foresee possible attack vectors.

We have now deployed bash version 4.2_p48 which contains a security fix. There is currently some discussion on the net if the fix is complete or if there are still open holes left. In case that an improved fix will be made available, we are going to deploy it as soon as possible.

Update: An improved version of the security fix has been made available. We are currently rolling out that new version on our servers. In the meantime, further discussion revealed that even the improved fix may be incomplete. So we are staying tuned for a third fix to come...