CustomTech Blog: Univention patches for "Shellshock" - bash security vulnerability

Quick Contact

Tuesday, 30 September 2014

Univention patches for "Shellshock" - bash security vulnerability

Univention has promptly released patches for all "current" releases of UCS: 3.2, 3.1, 3.0 and 2.4.

The first patch was released on 25th September, with further updates on 27th September.

If your UCS maintenance is current you will have received detailed "errata" announcement emails for each of the updates.

The 3.2 update was announced formally here:
http://www.univention.com/univention/news/news-releases/news-details/uni/2014/09/26/fix-for-shellshock-bug/

Note the statement in the announcement about Univention (and Debian) using "dash" as the default script for shells is true in the later versions of UCS (3.x), but not for old versions like 2.4. Also note that using "dash" as the default shell for scripts helps, but individual script programmers can and do override this so it is not a full solution.

In all cases it is recommended that you apply the patches as soon as possible. Then check that the patches are installed and operating as expected.

If you did not receive the errata announcement emails you can see the core errata information here:

UCS 3.2.x
http://errata.univention.de/ucs/3.2/213.html
http://errata.univention.de/ucs/3.2/217.html

UCS 3.1
http://errata.univention.de/ucs/3.1/233.html

UCS 3.0
http://errata.univention.de/ucs/3.0/146.html

UCS 2.4.x
On UCS 2.4 the patch is implemented differently as a "hotfix":
Reference:          CVE-2014-6271, CVE-2014-7169, bug 36005
Fixed version:      3.2-4.45.201409261641
30/10/14 Update: A second "hotfix" is also available:
Reference:          CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, CVE-2014-7187, bug 36240
Fixed version:      3.2-4.49.201410231847

If you need help to work through these issues please don't hesitate to make contact with the CustomTech support team http://www.customtech.com.au/support.html.