Security updates for VM's operating system available

please update the debian operation system on the virtual image.

The well known bash bug is still present there!

e.g. test with

erpnext@erpnext-vm:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

Thanks for the report, we’ll release today.

PS: shellshock is not exploitable via nginx

I know, just for got to write a “but dont panic” :smile:

There also some non active packages lilke spamassassin installed.
Maybe you want to run “apt-get autoremove” also.

Okay, adding that to the vm build script. If you can give me a quick help, it’d be awesome.

export DEBIAN_FRONTEND=noninteractive
apt-get -y update
apt-get -y upgrade

seems to get stuck at

    virtualbox-ovf: Get:85 wheezy/main supervisor all 3.0a8-1.1+deb7u1 [186 kB]
    virtualbox-ovf: Fetched 97.8 MB in 1min 37s (998 kB/s)
    virtualbox-ovf: Reading changelogs... Done
    virtualbox-ovf: wget (1.13.4-3+deb7u2) stable-security; urgency=high
    virtualbox-ovf: From 18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 Mon Sep 17 00:00:00 2001
    virtualbox-ovf: From: Darshit Shah <>
    virtualbox-ovf: Date: Sun, 07 Sep 2014 19:11:17 +0000
    virtualbox-ovf: Subject: CVE-2014-4877: Arbitrary Symlink Access
    virtualbox-ovf: Wget was susceptible to a symlink attack which could create arbitrary
    virtualbox-ovf: files, directories or symbolic links and set their permissions when
    virtualbox-ovf: retrieving a directory recursively through FTP. This commit changes the
    virtualbox-ovf: default settings in Wget such that Wget no longer creates local symbolic
    virtualbox-ovf: links, but rather traverses them and retrieves the pointed-to file in
    virtualbox-ovf: such a retrieval.
    virtualbox-ovf: The old behaviour can be attained by passing the --retr-symlinks=no
    virtualbox-ovf: option to the Wget invokation command.
    virtualbox-ovf: -- Thorsten Alteholz <>  Wed, 29 Oct 2014 19:00:14 +0100
    virtualbox-ovf: ca-certificates (20130119+deb7u1) stable; urgency=low
    virtualbox-ovf: Update mozilla/certdata.txt to version 1.97
    virtualbox-ovf: Certificates added (+), removed (-), and renamed (~):
    virtualbox-ovf: + "ACCVRAIZ1"
    virtualbox-ovf: + "Atos TrustedRoot 2011"
    virtualbox-ovf: + "CA Disig Root R1"
    virtualbox-ovf: + "CA Disig Root R2"
    virtualbox-ovf: + "China Internet Network Information Center EV Certificates Root"
    virtualbox-ovf: + "D-TRUST Root Class 3 CA 2 2009"
    virtualbox-ovf: + "D-TRUST Root Class 3 CA 2 EV 2009"
    virtualbox-ovf: + "E-Tugra Certification Authority"
    virtualbox-ovf: + "PSCProcert"
    virtualbox-ovf: + "SG TRUST SERVICES RACINE"
    virtualbox-ovf: + "StartCom Certification Authority"
    virtualbox-ovf: ~ "StartCom Certification Authority"_2
    virtualbox-ovf: (both StartCom CAs now included with duplicate CKA_LABEL fix)
    virtualbox-ovf: + "Swisscom Root CA 2"
    virtualbox-ovf: + "Swisscom Root EV CA 2"
    virtualbox-ovf: + "T-TeleSec GlobalRoot Class 2"
    virtualbox-ovf: + "TURKTRUST Certificate Services Provider Root 2007"
    virtualbox-ovf: + "TWCA Global Root CA"
    virtualbox-ovf: + "TeliaSonera Root CA v1"
    virtualbox-ovf: + "Verisign Class 3 Public Primary Certification Authority"
    virtualbox-ovf: ~ "Verisign Class 3 Public Primary Certification Authority"_2
    virtualbox-ovf: (both Verisign Class 3 CAs now included with duplicate CKA_LABEL fix)
    virtualbox-ovf: - "Equifax Secure eBusiness CA 2"
    virtualbox-ovf: - "Firmaprofesional Root CA"
    virtualbox-ovf: - "TC TrustCenter Universal CA III"
    virtualbox-ovf: - "TDC OCES Root CA"
    virtualbox-ovf: - "Wells Fargo Root CA"
    virtualbox-ovf: -- Michael Shuler <>  Sun, 30 Mar 2014 17:49:01 -0500

Any ideas on how to make it fire and forget? Or maybe I should setup unattended-upgrades

I would give

a test

And here some more

Thanks, adding -qq stopped the pager from coming.