Does CVE-2014-6271 Bash Code Inject Vulnerability affect Shibboleth SP and/or IdP?

Cantor, Scott cantor.2 at
Fri Sep 26 23:59:03 EDT 2014

On 9/26/14, 11:46 PM, "Gernot Hassenpflug"
<gernot.hassenpflug at> wrote:
>Thanks for the reply. I realize the above is true, at a technical level,
>but in terms of managing problems, tracking solutions, auditing past
>logs, and communicating with customers, requires more detail, hence my

I didn't realize you were kind of in the middle, as opposed to "just" a
deployer, hence my question.

>(2) Prioritizing, and application-level patching
>OS level patches are critical, but application level patches can be done
>more quickly, especially since OS-level patches are not final yet.  (we
>emergency-patched our in-house software to prevent use of shell).

My experience is the opposite, just because there's no way I can produce
patches on the timelines Red Hat or MS can (for one thing, they have
advance knowledge and I usually don't). So I view most of the applications
or middleware I use as much more precarious than the OS, which usually has
patches more ahead of the real threats.

-- Scott

More information about the users mailing list