----
Security vulnerability in bash addressed
// The GitHub Blog
Update: 2014-09-25 15:45 UTC
GitHub is closely monitoring new developments that indicate the existing bash patch for CVE-2014-6271 is incomplete. The fix for this new bash vulnerability is still in progress, but we will be releasing a new patch for GitHub Enterprise once it has been resolved. At this time, we still strongly encourage all GitHub Enterprise customers to update their instances using the patch made available yesterday.
This morning it was disclosed that Stephane Chazelas discovered a critical vulnerability in the GNU bash utility present on the vast majority of Unix and Linux systems. Using this vulnerability, an attacker can force the execution of arbitrary commands on an affected server. While these commands may not run with root privileges, they provide a significant vector for further exploitation of a system.
We have released special patches of GitHub Enterprise to fix this vulnerability, and have provided detailed instructions to all our Enterprise customers on how to upgrade their instance. An immediate upgrade is required.
None of the extensive penetration testing we've performed today has uncovered any vulnerability on github.com, including git over SSH. As an added precaution, however, we have patched all systems to ensure the vulnerability is addressed.
----
Shared via my feedly reader
Sent from my iPhone
No comments:
Post a Comment