Bash shellshock is now patched in our base image


(Sam Saffron) #1

CVE-2014-6271 aka. bash “shellshock” is now patched in our Docker base image.

To update

cd /var/discourse  
git pull
./launcher rebuild app 

(replace /var/discourse with /var/docker if your installation is still in that directory.)

It is highly unlikely this vulnerability would effect Discourse as ENV injection is not really something we do, NGINX does or Unicorn does. However, better safe than sorry.

In other news, I also shrunk down our base image using docker squash so it should take less time to update it and less space.


(Benjamin Kampmann) #2

deploying as we speak. Thanks heaps!


(Tomo Vukasović) #3

I updated bash on Digital Ocean Ubuntu stack using:

sudo apt-get update && sudo apt-get install --only-upgrade bash

(Homebrew Hops) #4

I just updated and I am getting still vulnerable.

Edit:

 It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this law to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

https://access.redhat.com/security/cve/CVE-2014-7169


(Juan Manuel Formoso) #5

Is it the same to update from /admin/upgrade?


(Annika Backstrom) #6

./launcher rebuild, or ./launcher rebuild app? Is the former supposed to do something? Seems to be a no-op on my install (It dumps the command usage.)


(Robin Ward) #7

@sam forgot to include app in that line. I updated the OP, but the command is ./launcher rebuild app


(Homebrew Hops) #8

I am embarrassed that I missed this.

root@discourse-app:/# x='() { :;}; echo vulnerable' bash
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
root@discourse-app:/#

(Jeff Atwood) #9