Thank you for reporting. The issue seems to be critical while apache server is used, this is not the case since volumio relies on nginx. However SSH and bash are present, so will upgrade them in next version.
No worries.
There’s a little command you can type in to test whether a distribution is vulnerable:
env X="() { :;} ; echo busted" `which bash` -c "echo completed"An output of “busted” means it is vulnerable, and that’s what was reported when I tried on my Volumio installation.
http://www.raspberrypi.org/forums/viewtopic.php?f=66&t=87812
Is it safe to do a package upgrade on Volumio, or will it mess things up? That link suggests this as a remedy for a Raspbian install:
sudo apt-get update && sudo apt-get -y dist-upgradeI just did:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"vulnerable
this is a test
Update bash with:
sudo apt-get update && sudo apt-get install bashthen redo:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"this is a test
No longer shows as vulnerable. Tried Volumio, and nothing seems to be broken.
and answer returned is “this is a test”
Seems to work fine for me. So far so good anyway! Thanks!
If we are worrying about security issues, volumio ships with ssh open and widely known usernames and password. So anyone on the local network can easily get root access to a volumio.
Perhaps the install instructions should explain how to change the password, and volumio should refuse to play music until the password is changed.
I already suggested to provide a script in the webgui that on the first run asks for new passwords for pi, volumio, root users.
However I don’t know how to program the webgui, so anyone willing to help should jump in.
In any case, I updated the distro and now the bug seems to be closed (at least, it is on par with the most updated bash).
I figure anyone on my network has my WPA2 pass phrase (wireless) and access to my router and LAN anyway, so the SSH access doesn’t worry me particularly - not a lot to be gained from hacking Volumio. Having said that, as a matter of course, I change SSH password every time I image an SD card - one must remember to change the root and non-root passwords, as using “sudo” commands can be given without having root access. 