CloudLinux update for Bash [beta] to address Shellshock - Is anyone using it?

[mtindor]

Those who use CloudLinux likely are aware that CL released an updated [beta] version of Bash which apparently closes up the Bash vulnerability by disabling function imports via environment variables. However, there is an apparent caveat that some scripts on servers could stop working. I know that CL posted that this version of bash "should" be compatible with cPanel, but I'm wondering if anyone has actually tried out the Bash beta available from CL?

Beta: Better fix for Shellshock bash vulnerability

Is anybody on here using it? If so, would you care to share your thoughts regarding any breakage?

M

- - - Updated - - -

I haven't seen any statement from Redhat or CentOS or cPanel regarding the ramifications of disabling bash function imports on RH/CentOS or on cPanel servers specifically, but it sure would be nice if the vendors would release some sort of statement that can give us hosting providers an idea of what we might be in for if we attempt to use bash with the function imports disabled by default.

M

 

[cPanelMichael]

Hello

CloudLinux posted the following as a comment on the link you provided:

Igor Seletskiy
10/01/2014 09:07:16
This fix should be cPanel compatible, but it is a beta for a reason -- we cannot fully test cPanel, hence we need clients to try.
If it doesn't work -- you can allways roll back with yum downgrade bash

Thank you.

 

[mtindor]

Hello

CloudLinux posted the following as a comment on the link you provided:



Thank you.

Michael,

Indeed I saw that. But that really doesn't answer the question at hand. "haven't fully tested" could very well mean "haven't tested at all" and it wouldn't be a lie. That's why I [and probably others] are interested in hearing from those who are already using the beta Bash on their CL/cPanel servers in a production shared hosting environment.

Yep, I'm wanting to benefit from others experience before taking the plunge myself. Maybe that's selfish, but not everyone can be / wants to be the guinea pig.

And, since the disabling of function imports has been widely discussed in relevant places as a method of blocking any shellshock-related exploits, vendors [RH / CentOS / other distro providers / cPanel / other hosting platform providers] should consider releasing a statement regarding the likelihood of their customers seeing breakage.

CL is the only player [relevant to those running cPanel] who has released a version of bash that goes to this extent thus far, but it could end up being adopted by RH / CentOS as well. So it certainly wouldn't hurt to hear from vendors.

M

 

[mtindor]

On a couple of CloudLinux servers I have installed the bash available from the CL beta/testing repository. So far so good. I've yet to get any complaints from my clients, and I haven't spotted anything bad in the error logs that I've looked at. That doesn't mean that this version is 100% trouble free. It just means that I have not noticed any issues in the past 24 hours nor have I heard any complaints from my clients since updating to that version of bash.

It still would be nice to get some input from others running the bash from the CL beta repository. I'm sure people are.

m

 

[cmanns]

Yeah we are using it so far with no complaints, most clients don't do much ssh functions or odd cPanel functions.

Currently using a bunch of the beta CL repo... not many complaints except (personally) OptimumCache-