I would suggest that having some sort of built in functionality tied to the
management server would be a good thing, but don't make it overbearing. If
operators have their own patch methodolgies right now that's fine, and they
should be able to continue to use them. For smaller shops or operation
On Oct 3, 2014, at 4:03 PM, Alex Brett wrote:
> On 03 October 2014 13:52, Adrian Lewis [adr...@alsiconsulting.co.uk] wrote:
>> The only solution I can think of is to 'apt-get update bash' on every
>> system VM but clearly these get fired up dynamically. Is it possible to
>> boot the template, make
>From a service provider perspective I would agree that this issue needs to
be addressed as soon as possible. In the short term it would make sense
for CloudStack to release a patched SystemVM template and upgrade
instructions. In the long term I think the better option would be to allow
the temp
On 03 October 2014 13:52, Adrian Lewis [adr...@alsiconsulting.co.uk] wrote:
> The only solution I can think of is to 'apt-get update bash' on every
> system VM but clearly these get fired up dynamically. Is it possible to
> boot the template, make modifications and then use as a replacement system
nal Message-
From: Santhosh Edukulla [mailto:santhosh.eduku...@citrix.com]
Sent: 02 October 2014 23:10
To: dev@cloudstack.apache.org
Subject: RE: Shellshock
We may use the below scanner to identify this vulnerability. One of our
ex-colleague has written it, its a remote, network scann
end.
Regards,
Santhosh
From: Demetrius Tsitrelis [demetrius.tsitre...@citrix.com]
Sent: Wednesday, October 01, 2014 1:59 PM
To:
Subject: RE: Shellshock
Actually, I am not sure. Only the env.cgi script is loaded and, while the
other scripts are in perl
]
Sent: Wednesday, October 01, 2014 10:52 AM
To:
Subject: RE: Shellshock
Interestingly this video shows attack against a perl script...
https://www.youtube.com/watch?v=ArEOVHQu9nk
-Original Message-
From: Demetrius Tsitrelis [mailto:demetrius.tsitre...@citrix.com]
Sent: Monday, September
Interestingly this video shows attack against a perl script...
https://www.youtube.com/watch?v=ArEOVHQu9nk
-Original Message-
From: Demetrius Tsitrelis [mailto:demetrius.tsitre...@citrix.com]
Sent: Monday, September 29, 2014 6:13 PM
To:
Subject: RE: Shellshock
http://systemvm-public
:
> Subject: Re: Shellshock
>
> It's not a safe approach, because upgrade without testing may introduce other
> bugs, such as one bug we saw recently introduced by upgrade of openswan. I
> think we still need to generate template, then distribute it after testing.
>
>
surely this should
>> be
>> treated as a fairly major priority? I'd far rather not have bombs in every
>> system vm in the first place regardless of whether people think there
>> aren't
>> any detonators.
>>
>> Adrian
>>
>> -Origina
far rather not have bombs in every
system vm in the first place regardless of whether people think there aren't
any detonators.
Adrian
-Original Message-
From: John Kinsella [mailto:j...@stratosec.co]
Sent: 30 September 2014 22:57
To: dev@cloudstack.apache.org
Subject: Re: Shellshock
ny detonators.
Adrian
-Original Message-
From: John Kinsella [mailto:j...@stratosec.co]
Sent: 30 September 2014 22:57
To: dev@cloudstack.apache.org
Subject: Re: Shellshock
I’m not worried about any specific use-case, but I’d rather not have
vulnerable software running on SSVMs in general.
: Sheng Yang [mailto:sh...@yasker.org]
Sent: Monday, September 29, 2014 5:21 PM
To: mailto:dev@cloudstack.apache.org>>
Subject: Re: Shellshock
http://systemvm-public-ip/cgi-bin/ipcalc is NOT a bash script, so it's
normal that it cannot be exploited.
--Sheng
On Fri, Sep 26, 20
systemvm-public-ip/cgi-bin/ipcalc is a perl script.
> >
> > -Original Message-
> > From: Sheng Yang [mailto:sh...@yasker.org]
> > Sent: Monday, September 29, 2014 5:21 PM
> > To:
> > Subject: Re: Shellshock
> >
> > http://systemvm-public-ip/
sh is a link to dash.
Don't know the date on the system VM but I believe it is from the April OpenSSL
update.
-Original Message-
From: Go Chiba [mailto:go.ch...@gmail.com]
Sent: Tuesday, September 30, 2014 12:04 PM
To: dev@cloudstack.apache.org
Subject: Re: Shellshock
hi Deme
> -Original Message-
> From: Go Chiba [mailto:go.ch...@gmail.com]
> Sent: Tuesday, September 30, 2014 8:38 AM
> To: dev@cloudstack.apache.org
> Subject: Re: Shellshock
>
> Hi folks,
>
> By my digging, ipcalc included system() function call but debian based o
When I do "echo $SHELL" on the Virtual Router instance I see "/bin/bash".
-Original Message-
From: Go Chiba [mailto:go.ch...@gmail.com]
Sent: Tuesday, September 30, 2014 8:38 AM
To: dev@cloudstack.apache.org
Subject: Re: Shellshock
Hi folks,
By my digging, ip
ttp://systemvm-public-ip/cgi-bin/ipcalc is a perl script.
>
> -Original Message-
> From: Sheng Yang [mailto:sh...@yasker.org]
> Sent: Monday, September 29, 2014 5:21 PM
> To:
> Subject: Re: Shellshock
>
> http://systemvm-public-ip/cgi-bin/ipcalc is NOT a bash script
http://systemvm-public-ip/cgi-bin/ipcalc is a perl script.
-Original Message-
From: Sheng Yang [mailto:sh...@yasker.org]
Sent: Monday, September 29, 2014 5:21 PM
To:
Subject: Re: Shellshock
http://systemvm-public-ip/cgi-bin/ipcalc is NOT a bash script, so it's normal
that it cann
munity.qualys.com/blogs/securitylabs/2014/09/25/qualysguard-remote-detection-for-bash-shellshock
> ?
>
>
> -Original Message-
> From: Ian Duffy [mailto:i...@ianduffy.ie]
> Sent: Friday, September 26, 2014 6:56 AM
> To: CloudStack Dev
> Subject: Re: Shellshock
>
>
Subject: Re: Shellshock
Tried this against the latest system vms built on Jenkins.
Didn't get a successful exploited response. Tested against http://systemvm
- public-ip/cgi-bin/ipcalc
On 25 Sep 2014 16:56, "Abhinandan Prateek" wrote:
>
> After heart bleed we are Shell shocked
Yep, working on formal/better instructions.
On Sep 26, 2014, at 12:30 PM, David Nalley
mailto:da...@gnsa.us>> wrote:
I am not sure that we are done with the vulnerabilities; and I think
the apt-get is a poor option to tell folks because they are vulnerable
again the next time a machine respawns.
I am not sure that we are done with the vulnerabilities; and I think
the apt-get is a poor option to tell folks because they are vulnerable
again the next time a machine respawns.
On Fri, Sep 26, 2014 at 2:56 PM, John Kinsella wrote:
> I just tried some older virtual routers, and they are:
>
> r
I just tried some older virtual routers, and they are:
root@r-163-VM:~# env x='() { :;}; echo OOPS' bash -c /usr/bin/true
OOPS
bash: /usr/bin/true: No such file or directory
That said, you can only ssh to them from the local hypervisor. Not sure if
there’s any exposure on the http side.
Running
Tried this against the latest system vms built on Jenkins.
Didn't get a successful exploited response. Tested against http://systemvm
- public-ip/cgi-bin/ipcalc
On 25 Sep 2014 16:56, "Abhinandan Prateek" wrote:
>
> After heart bleed we are Shell shocked
> http://www.bbc.com/news/technology-29361
25 matches
Mail list logo
