[Xymon] 'Shell shock' mitigation

me at tdiehl.org me at tdiehl.org
Fri Sep 26 22:14:22 CEST 2014


Hi Henrik,

On Fri, 26 Sep 2014, Henrik Størner wrote:

>> The xymon CGI interface runs via shell wrappers around the actual C cgi
>> code (to set the environment properly), which means this would be an
>> avenue for attack.
> Indeed, this one is nasty. Fortunately, most Linux systems I know of
> have /bin/sh linked to /bin/dash and hence are not vulnerable.
>
> In light of this, I think it is about time we retire the shell-script
> wrappers from Xymon. I have written a replacement which is now checked
> into the 4.3.18 branch.
>
> There is a preliminary release of 4.3.18 available on
> https://www.xymon.com/patches/ - feel free to try it out. I will release
> 4.3.18 over the weekend unless I find some problems with it.
>
> NOTE: Replacing the shell script wrappers means that the cgioptions.cfg
> file is no longer processed as a shell script. The new wrapper works
> fine with the default version of cgioptions.cfg, but it you have
> modified it in a way that it relies on being processed by a shell, then
> it will break.

I just upgraded bash to the latest from RH/Centos and I can report that it
breaks the data from machines using bbwin. They all went purple. To be sure
my hunch was correct, I downgraded bash to bash-4.1.2-15.el6_5.1.x86_64 and
the purple went away.

Is it expected that the fix you reference above will work with bbwin? I have
not modified cgioptions.cfg.

I need to wait until the terabithia rpms are updated to upgrade xymon.

Regards,

-- 
Tom			me at tdiehl.org		Spamtrap address	 		me123 at tdiehl.org


More information about the Xymon mailing list