Subsonic Forum

[eggsyntax]

Hey y'all,

Can anyone confirm whether Subsonic exposes a vulnerability to the Shellshock bug? Off the top of my head, it seems like it plausibly might, and it would be a very nice thing to know, especially since it would be awfully easy to write a script that probed various [name].subsonic.org addresses.

Thanks!

[daneren2005]

I can't imagine it would be. Bash is mostly a OSX/Linux thing, and Subsonic is based of Java and deployed on a ton of Windows servers. I therefore highly doubt it would depend on Bash in any way. Either way though, even it did it, chances are it would be only one vulnerable system among many on your server. The system itself needs to be updated regardless of whether Subsonic is specifically vulnerable, and if it is it will be fixed at the same time as everything else.

[eggsyntax]

I can't imagine it would be. Bash is mostly a OSX/Linux thing, and Subsonic is based of Java and deployed on a ton of Windows servers. I therefore highly doubt it would depend on Bash in any way.

Good point, I'd forgotten that it was Java-based.

Either way though, even it did it, chances are it would be only one vulnerable system among many on your server. The system itself needs to be updated regardless of whether Subsonic is specifically vulnerable, and if it is it will be fixed at the same time as everything else.

Oh, agreed! I was just trying to decide whether to take it offline for a few days until I can get a patch in place.

[gurutech]

If you have a Linux system, run the latest software updates ("yum update" for redhat-based systems), and the bash vulnerability has been patched.

[eggsyntax]

OS X. I'm a programmer, so I'd be comfortable recompiling bash, but since a) Apple's announced they're working on a fix, and b) there have been some mixed reports of whether the updated bash fully fixes the bug on OS X, it's easier for me to just wait. I expose some services to the internet (ssh, web server, etc) but nothing I can't comfortably live without for a few days. TBH, Subsonic would have been the single most annoying thing to live without, so it's nice to know I (presumably) don't need to.