We have patched servers on the virtual machines that run most of the Merritt service (UI, Ingest and Inventory). There are some servers for parts of Merritt that haven't been patched yet-primarily for the Merritt storage service. However, these are behind the CDL firewall and don't receive any direct external input; everything is mediated through the API or UI, which are both implemented in Ruby/Rails, so we believe we're well protected against someone trying to exploit the vulnerability.  We are continuing to analyze the situation. Please let us know if you have any questions.

Perry


From: Perry Willett
Sent: Friday, September 26, 2014 10:22 AM
To: [log in to unmask]
Subject: ShellShock vulnerability and Merritt

You may have heard about the vulnerability to online services involving Bash scripts that's being called "Shellshock." More info on this bug is here:
http://krebsonsecurity.com/2014/09/shellshock-bug-spells-trouble-for-web-security/

We're aware of the vulnerabilities surrounding this issue and are analyzing our systems to see if we're affected. We'll keep you informed as we learn more. Let us know any questions or concerns. Best,

Perry

Perry Willett
Digital Preservation Services Manager
California Digital Library
415 20th St., 4th Floor
Oakland CA 94612-2901
Ph: 510-987-0078
Fax: 510-893-5212
Email: [log in to unmask]<mailto:[log in to unmask]>