We have patched servers on the virtual machines that run most of the Merritt service (UI, Ingest and Inventory). There are some servers for parts of Merritt that haven't been patched yet-primarily for the Merritt storage service. However, these are behind the CDL firewall and don't receive any direct external input; everything is mediated through the API or UI, which are both implemented in Ruby/Rails, so we believe we're well protected against someone trying to exploit the vulnerability. We are continuing to analyze the situation. Please let us know if you have any questions. Perry From: Perry Willett Sent: Friday, September 26, 2014 10:22 AM To: [log in to unmask] Subject: ShellShock vulnerability and Merritt You may have heard about the vulnerability to online services involving Bash scripts that's being called "Shellshock." More info on this bug is here: http://krebsonsecurity.com/2014/09/shellshock-bug-spells-trouble-for-web-security/ We're aware of the vulnerabilities surrounding this issue and are analyzing our systems to see if we're affected. We'll keep you informed as we learn more. Let us know any questions or concerns. Best, Perry Perry Willett Digital Preservation Services Manager California Digital Library 415 20th St., 4th Floor Oakland CA 94612-2901 Ph: 510-987-0078 Fax: 510-893-5212 Email: [log in to unmask]<mailto:[log in to unmask]>