Does CVE-2014-6271 Bash Code Inject Vulnerability affect Shibboleth SP and/or IdP?
cantor.2 at osu.edu
Fri Sep 26 09:55:56 EDT 2014
On 9/25/14, 11:02 PM, "Gernot Hassenpflug"
<gernot.hassenpflug at asahinet.com> wrote:
>Our company needs me to report on whether there is any vulnerability in
>the Shibboleth-related software: Apache module and shibd daemon on the
>SP side, in particular.
I'm extremely curious as to why. I know that some bugs are things you have
to prioritize patching, but this one is a raging fire. You don't even
think about it, you just patch every web server you can get hold of, and
you're still too late.
>The shibd daemon communicates through the apache module to the browser,
>using SAML, so I expect there to be no use of shell environment
>variables here. However, perhaps the daemon calls a program from the
>command line at some point, or some related use of environment
More information about the users