[Live-demo] reporting shellShock bug in OSgeo Live

Alex Mandel tech_dev at wildintellect.com
Thu Nov 20 10:30:02 PST 2014


Thanks for bringing it up, I though we had made a formal announcement
about that issue but can't find it.

I'll also take this moment to restate, which we plan to add prominently
to the website, OSGeo-Live is not intended for production deployment as
a server. It is intentionally made with weak passwords and way more
services than typical turned on in order to make demos and training easier.

Running recommendations include,
1. Do not install ssh server unless you lock it down properly.
2. Run the virtual machine behind a NAT so that it is not reachable from
the outside world (default for desktop virtualization).
3. If you do run it on a local network for testing, firewall it so it
can't be seen from outside the local network.
4. As with any OS, always do security updates in a timely manner.
OSGeo-Live built on Lubuntu notifies you weekly of updates.

Note the shell shock bug really isn't an issue if you follow the
guidelines above.

Thanks,
Alex

On 11/20/2014 08:30 AM, "Dr. Ing. Carlos López" wrote:
> Matthias Streulens Geomajas wrote:
> 
>> It's also indeed true that the bash bug is in version 8.0 of the live
>> dvd.
>> As this is a packaged ISO, BEFORE the bash bug was detected.
>>
>> Best to do is a sudo apt-get update and sudo apt-get dist-upgrade
>> after installing the release as packages are not updated since release
>> of the live dvd.
>> Note that the GIS installed packages also will be updated.
> 
> Thank you for the hint.
> Regards
> Carlos
> 
>>
>> Kind regards,
>> Matthias
>>
>> "Dr. Ing. Carlos López" schreef op 20/11/2014 om 12:24:
>>
>>> Hello:
>>> I have just downloaded and deployed version 8.0 of the distro
>>> (without problems) in a production environment. Afterwards, TI guys
>>> performed some security checks and announced that the distro is
>>> vulnerable to the shellShock bug (see http://shellshocker.net). It
>>> appears to be a major issue related with bash, which has been around
>>> before 1994(!). They decided to shutdown the installation.
>>> This should be a bug report, but I found no other way to report it. I
>>> would like to know if some actions could be taken to solve it.
>>> Regards
>>> Carlos
>>>
>>>
>>> _______________________________________________
>>> Live-demo mailing list
>>> Live-demo at lists.osgeo.org
>>> http://lists.osgeo.org/mailman/listinfo/live-demo
>>> http://live.osgeo.org
>>> http://wiki.osgeo.org/wiki/Live_GIS_Disc
>>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Live-demo mailing list
>> Live-demo at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/live-demo
>> http://live.osgeo.org
>> http://wiki.osgeo.org/wiki/Live_GIS_Disc
>>
> 
> 
> 
> 
> _______________________________________________
> Live-demo mailing list
> Live-demo at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/live-demo
> http://live.osgeo.org
> http://wiki.osgeo.org/wiki/Live_GIS_Disc
> 



More information about the Live-demo mailing list