Does CVE-2014-6271 Bash Code Inject Vulnerability affect Shibboleth SP and/or IdP?
Gernot Hassenpflug
gernot.hassenpflug at asahinet.com
Tue Sep 30 00:00:54 EDT 2014
"Cantor, Scott" <cantor.2 at osu.edu> writes:
> On 9/26/14, 11:46 PM, "Gernot Hassenpflug"
> <gernot.hassenpflug at asahinet.com> wrote:
>>
>>Thanks for the reply. I realize the above is true, at a technical level,
>>but in terms of managing problems, tracking solutions, auditing past
>>logs, and communicating with customers, requires more detail, hence my
>>question.
>
> I didn't realize you were kind of in the middle, as opposed to "just" a
> deployer, hence my question.
Hello Scott,
No worries, I added more details for the benefit of other people doing
searches, since all this communication should be of value. Seeing
different perspectives and assumptions here is a good thing for
reference.
>>(2) Prioritizing, and application-level patching
>>
>>OS level patches are critical, but application level patches can be done
>>more quickly, especially since OS-level patches are not final yet. (we
>>emergency-patched our in-house software to prevent use of shell).
>
> My experience is the opposite, just because there's no way I can produce
> patches on the timelines Red Hat or MS can (for one thing, they have
> advance knowledge and I usually don't). So I view most of the applications
> or middleware I use as much more precarious than the OS, which usually has
> patches more ahead of the real threats.
Ah, I see. That is another issue I did not consider. I understand better
now how difficult it is now to make general assumptions without having
more communication with the other parties involved.
Just to conclude: we're rolled out OS-level patches last week and again
early this week to all our systems, including those using Shibboleth SP
(customer services) and IdP (in-house only).
Best regards,
Gernot Hassenpflug
--
Asahi Net, Inc.
Tokyo, Japan
More information about the users
mailing list