This is the official release announcement for IPFire 2.15 Core Update 83. It mainly provides a fix for several security issues in the GNU bash package also known as “ShellShock” and filed under CVE-2014-6271 and CVE-2014-7169.
It was possible to inject shell commands that were executed from the shell environment. IPFire uses CGI scripts for its web user interface. Therefore it was possible for authenticated users to execute shell commands with non-root privileges and of course users that had access to the shell on command line. Also other services that execute shell scripts like the DHCP client were vulnerable.
We regard this as a serious security issue and recommend to update as soon as possible. Please do not forget to reboot your machine afterwards and check for updates for your other *nix distribution as well because they are probably vulnerable, too.
It appears that there might be more problems in GNU bash for which there is no working fix available right now. So please stay tuned for more updates.
Further information about this error can be found on:
Thanks to all who provided us with feedback about their testing results. Please support future security fixes by sending us a donation.
Published by Michael Tremer, September 28, 2014 at 5:50 pm