Does CVE-2014-6271 Bash Code Inject Vulnerability affect Shibboleth SP and/or IdP?

Cantor, Scott cantor.2 at
Fri Sep 26 09:55:56 EDT 2014

On 9/25/14, 11:02 PM, "Gernot Hassenpflug"
<gernot.hassenpflug at> wrote:
>Our company needs me to report on whether there is any vulnerability in
>the Shibboleth-related software: Apache module and shibd daemon on the
>SP side, in particular.

I'm extremely curious as to why. I know that some bugs are things you have
to prioritize patching, but this one is a raging fire. You don't even
think about it, you just patch every web server you can get hold of, and
you're still too late.

>The shibd daemon communicates through the apache module to the browser,
>using SAML, so I expect there to be no use of shell environment
>variables here. However, perhaps the daemon calls a program from the
>command line at some point, or some related use of environment


-- Scott

More information about the users mailing list