Does CVE-2014-6271 Bash Code Inject Vulnerability affect Shibboleth SP and/or IdP?

Gernot Hassenpflug gernot.hassenpflug at
Tue Sep 30 00:00:54 EDT 2014

"Cantor, Scott" <cantor.2 at> writes:

> On 9/26/14, 11:46 PM, "Gernot Hassenpflug"
> <gernot.hassenpflug at> wrote:
>>Thanks for the reply. I realize the above is true, at a technical level,
>>but in terms of managing problems, tracking solutions, auditing past
>>logs, and communicating with customers, requires more detail, hence my
> I didn't realize you were kind of in the middle, as opposed to "just" a
> deployer, hence my question.

Hello Scott,

No worries, I added more details for the benefit of other people doing
searches, since all this communication should be of value. Seeing
different perspectives and assumptions here is a good thing for

>>(2) Prioritizing, and application-level patching
>>OS level patches are critical, but application level patches can be done
>>more quickly, especially since OS-level patches are not final yet.  (we
>>emergency-patched our in-house software to prevent use of shell).
> My experience is the opposite, just because there's no way I can produce
> patches on the timelines Red Hat or MS can (for one thing, they have
> advance knowledge and I usually don't). So I view most of the applications
> or middleware I use as much more precarious than the OS, which usually has
> patches more ahead of the real threats.

Ah, I see. That is another issue I did not consider. I understand better
now how difficult it is now to make general assumptions without having
more communication with the other parties involved.

Just to conclude: we're rolled out OS-level patches last week and again
early this week to all our systems, including those using Shibboleth SP
(customer services) and IdP (in-house only).

Best regards,
Gernot Hassenpflug
Asahi Net, Inc.
Tokyo, Japan

More information about the users mailing list