mac Shellshock bug and OS X FileMaker Server

[xochi]

FileMaker Server uses Apache on OS X, and edits the configuration file ( /private/etc/apache2/httpd.conf ) and enables apache.   This means that if one is running filemaker server, one is (usually) running apache.  The new 'shellshock' bug would seem to be a concern in this situation.

 

I'm running a few OS X servers that have FM Server and Apache running.  I've decided to stop apache this morning until I understand the risks.

 

Background on shellshock : http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

[Lee Smith]

Is your FileMaker version 13 or 11?

 

If 13, then please upgrade your Profile to show your current Version of FileMaker, OS and Platform.

 

Here a quick link to your profile. MY PROFILE

[xochi]

Hi Lee - the profile doesn't let one choose multiple versions.   I'm running FMS 11 and FMS 13 on different machines.   I believe the vulnerability applies to any version of FMS which uses apache on Mac OS X, which I believe would cover 9, 10, 11, 12, and 13...

[Lee Smith]

 the profile doesn't let one choose multiple versions. 

Your Profile should just reflect your current version!

 

Just provide the other information so we know that you are thinking this is a broader problem other than 13. When you post it in the 13 topics, I have no way of knowing whether or not you just posted in the first topic, or if the question is about 13. We automatically assume that the Profile is correct a long with the other info. 

 

Also, why did you pick the General Topic over one of the Server Topics?

 

I’m on my way out to meet with a client, I will pick this up later today.

Edited September 26, 2014 by Lee Smith
Rewrote the Reply.

[cbum]

I would be very interested in this as well.

 

 

[xochi]

The right thing to do would be to turn off the server / apache functions until Apple releases an update.  Many of us can't wait that long.

 

What I did:

* shut down the server and think about it

* found a bash fix which I trusted - recompiled it and installed it.  For example : 

  http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an

* restarted servers

[Dave Carmean]

Thank you Xochi!  I followed the instructions in your link (apple stackexchange) for our Filemaker 11 server on mountain lion (client, not server).  No problems.  

 

Update- I install the bash fix Friday night but did not restart the server until Monday morning.  The bash fix does not require restarting the system, but the system logs will include some errors as the signature of the new bash does not correspond to the record until after a restart.  And I always need to restart the web server [sudo apachectl graceful] after restarting the system.

[cbum]

Apple just released a patch for 10.7 - 10.9.

 

I still need one for 10.6  ....

[Richard Fincher]

On some of my older Linux boxes, I had to recompile bash from source. This isn't going to be easy on a mac, as you'd need a c compiler first (like the one which comes with XCode) it is doable though.