On Fri, Sep 26, 2014 at 03:02:57PM +0100, Mark Rogers wrote:
I've run some automated tests on some machines of ours that should be vulnerable on the basis of the bash version alone, but none have thrown up issues. We don't generally enable cgi so I think that's the key for us. (That's not to say I'm not patching them anyway...)
We found a few possible attack vectors while we were patching but they were quite obscure and would always need certain types of authenticated users, but of course if someone could get around that then it may be a problem.
On the basis that it had to be done we upgraded everything today including the 300 machines we did yesterday to get the latest patch. Total count was over 400 machines with a few stragglers left in non-public networks that if people got to them then we already have a bigger problem. They'll all get done next week.
One thing I would suggest is that if you're using Debian you look at installing unattended-upgrades as around half of our Debian stock had this already and many machines which didn't yesterday but I installed it on yesterday were updated by the time I got to the office.
Adam