please update the debian operation system on the virtual image.
The well known bash bug is still present there!
e.g. test with
erpnext@erpnext-vm:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
Thanks for the report, we’ll release today.
PS: shellshock is not exploitable via nginx
I know, just for got to write a “but dont panic” 
There also some non active packages lilke spamassassin installed.
Maybe you want to run “apt-get autoremove” also.
Okay, adding that to the vm build script. If you can give me a quick help, it’d be awesome.
export DEBIAN_FRONTEND=noninteractive
apt-get -y update
apt-get -y upgrade
seems to get stuck at
virtualbox-ovf: Get:85 http://cdn.debian.net/debian/ wheezy/main supervisor all 3.0a8-1.1+deb7u1 [186 kB]
virtualbox-ovf: Fetched 97.8 MB in 1min 37s (998 kB/s)
virtualbox-ovf: Reading changelogs... Done
virtualbox-ovf: wget (1.13.4-3+deb7u2) stable-security; urgency=high
virtualbox-ovf:
virtualbox-ovf: From 18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 Mon Sep 17 00:00:00 2001
virtualbox-ovf: From: Darshit Shah <darnir@gmail.com>
virtualbox-ovf: Date: Sun, 07 Sep 2014 19:11:17 +0000
virtualbox-ovf: Subject: CVE-2014-4877: Arbitrary Symlink Access
virtualbox-ovf:
virtualbox-ovf: Wget was susceptible to a symlink attack which could create arbitrary
virtualbox-ovf: files, directories or symbolic links and set their permissions when
virtualbox-ovf: retrieving a directory recursively through FTP. This commit changes the
virtualbox-ovf: default settings in Wget such that Wget no longer creates local symbolic
virtualbox-ovf: links, but rather traverses them and retrieves the pointed-to file in
virtualbox-ovf: such a retrieval.
virtualbox-ovf:
virtualbox-ovf: The old behaviour can be attained by passing the --retr-symlinks=no
virtualbox-ovf: option to the Wget invokation command.
virtualbox-ovf:
virtualbox-ovf: -- Thorsten Alteholz <debian@alteholz.de> Wed, 29 Oct 2014 19:00:14 +0100
virtualbox-ovf:
virtualbox-ovf: ca-certificates (20130119+deb7u1) stable; urgency=low
virtualbox-ovf:
virtualbox-ovf: Update mozilla/certdata.txt to version 1.97
virtualbox-ovf: Certificates added (+), removed (-), and renamed (~):
virtualbox-ovf: + "ACCVRAIZ1"
virtualbox-ovf: + "Atos TrustedRoot 2011"
virtualbox-ovf: + "CA Disig Root R1"
virtualbox-ovf: + "CA Disig Root R2"
virtualbox-ovf: + "China Internet Network Information Center EV Certificates Root"
virtualbox-ovf: + "D-TRUST Root Class 3 CA 2 2009"
virtualbox-ovf: + "D-TRUST Root Class 3 CA 2 EV 2009"
virtualbox-ovf: + "E-Tugra Certification Authority"
virtualbox-ovf: + "PSCProcert"
virtualbox-ovf: + "SG TRUST SERVICES RACINE"
virtualbox-ovf: + "StartCom Certification Authority"
virtualbox-ovf: ~ "StartCom Certification Authority"_2
virtualbox-ovf: (both StartCom CAs now included with duplicate CKA_LABEL fix)
virtualbox-ovf: + "Swisscom Root CA 2"
virtualbox-ovf: + "Swisscom Root EV CA 2"
virtualbox-ovf: + "T-TeleSec GlobalRoot Class 2"
virtualbox-ovf: + "TURKTRUST Certificate Services Provider Root 2007"
virtualbox-ovf: + "TWCA Global Root CA"
virtualbox-ovf: + "TeliaSonera Root CA v1"
virtualbox-ovf: + "Verisign Class 3 Public Primary Certification Authority"
virtualbox-ovf: ~ "Verisign Class 3 Public Primary Certification Authority"_2
virtualbox-ovf: (both Verisign Class 3 CAs now included with duplicate CKA_LABEL fix)
virtualbox-ovf: - "Equifax Secure eBusiness CA 2"
virtualbox-ovf: - "Firmaprofesional Root CA"
virtualbox-ovf: - "TC TrustCenter Universal CA III"
virtualbox-ovf: - "TDC OCES Root CA"
virtualbox-ovf: - "Wells Fargo Root CA"
virtualbox-ovf:
virtualbox-ovf: -- Michael Shuler <michael@pbandjelly.org> Sun, 30 Mar 2014 17:49:01 -0500
virtualbox-ovf:
Any ideas on how to make it fire and forget? Or maybe I should setup unattended-upgrades
Thanks, adding -qq stopped the pager from coming.