sh is a link to dash. Don't know the date on the system VM but I believe it is from the April OpenSSL update.
-----Original Message----- From: Go Chiba [mailto:go.ch...@gmail.com] Sent: Tuesday, September 30, 2014 12:04 PM To: dev@cloudstack.apache.org Subject: Re: Shellshock hi Demetrius, Which Date of SystemVM are you using now? And please share result of "ls -al /bin/sh" on your System VM. from my iPhone 2014/10/01 3:42、Demetrius Tsitrelis <demetrius.tsitre...@citrix.com> のメッセージ: > When I do "echo $SHELL" on the Virtual Router instance I see "/bin/bash". > > -----Original Message----- > From: Go Chiba [mailto:go.ch...@gmail.com] > Sent: Tuesday, September 30, 2014 8:38 AM > To: dev@cloudstack.apache.org > Subject: Re: Shellshock > > Hi folks, > > By my digging, ipcalc included system() function call but debian based our > system vm are using dash as system shell. So I think this shellshock concern > are not directly affected to system vm cgi-bin. right? > > GO > > from my iPhone > > 2014/09/30 10:13、Demetrius Tsitrelis <demetrius.tsitre...@citrix.com> のメッセージ: > >> http://systemvm-public-ip/cgi-bin/ipcalc is a perl script. >> >> -----Original Message----- >> From: Sheng Yang [mailto:sh...@yasker.org] >> Sent: Monday, September 29, 2014 5:21 PM >> To: <dev@cloudstack.apache.org> >> Subject: Re: Shellshock >> >> http://systemvm-public-ip/cgi-bin/ipcalc is NOT a bash script, so it's >> normal that it cannot be exploited. >> >> --Sheng >> >>> On Fri, Sep 26, 2014 at 1:57 PM, Demetrius Tsitrelis < >>> demetrius.tsitre...@citrix.com> wrote: >>> >>> Do you mean you tried setting the USER_AGENT like in >>> https://community.qualys.com/blogs/securitylabs/2014/09/25/qualysgua >>> r d -remote-detection-for-bash-shellshock >>> ? >>> >>> >>> -----Original Message----- >>> From: Ian Duffy [mailto:i...@ianduffy.ie] >>> Sent: Friday, September 26, 2014 6:56 AM >>> To: CloudStack Dev >>> Subject: Re: Shellshock >>> >>> Tried this against the latest system vms built on Jenkins. >>> >>> Didn't get a successful exploited response. Tested against >>> http://systemvm >>> - public-ip/cgi-bin/ipcalc >>>> On 25 Sep 2014 16:56, "Abhinandan Prateek" <agneya2...@gmail.com> wrote: >>>> >>>> >>>> After heart bleed we are Shell shocked >>>> http://www.bbc.com/news/technology-29361794 ! >>>> It may not affect cloudstack directly as it is a vulnerability that >>>> affects bash, and allows the attacker to take control of the system >>>> running bash shell. >>>> >>>> -abhi >>>
