With the report about the Shellshock bug, I just need to know if Matrix is makes our server vulnerable. Does it use bash commands anywhere?
Shellshock: Does Matrix use bash scripts?
tomchadwin
(Tom Chadwin)
#2
Uninformed response: whether it uses them or not, it probably has bash, so precautions would seem wise.
Micky_Gough
(Micky Gough)
#3
Ben Pearson and I spent a great deal of time testing various scenarios relating to this question. The issue is deeper than "does it call BASH scripts" since the system() function runs stuff in a shell. So *any* call to *any* executable runs BASH.
That's the bad news.
The good news is that the only way this can be exploited is if you're running Matrix (or another web app) using CGI. FastCGI (php-fpm) and Apache mod_php are not vulnerable. CGI is vulnerable because it passes critical client-controlled values through to the CGI script as environment variables.
I am not aware of any systems running Matrix on CGI. It's horrible and inefficient. Our older systems run on Apache/mod_php, our newer systems run on nginx/php-fpm, neither of which are vulnerable.
Micky_Gough
(Micky Gough)
#4
Having said that, I recommend installing all available security updates for your systems anyway. It's always good to install security updates :)
nnhubbard
(Nic Hubbard)
#5
Having said that, I recommend installing all available security updates for your systems anyway. It's always good to install security updates :)
Yep. Planning on it. :)
tomchadwin
(Tom Chadwin)
#6
Just to complete this, is this all that is required:
yum update bash
Any possible issues with carrying this out? Any issues with older Matrix versions (ours is currently 4.18.6).
Micky_Gough
(Micky Gough)
#7
That'll do it. :)
It's been well tested, and should have no impact on Matrix regardless of the version you're running.