Update - September 26: Further vulnerabiltities have been discovered in bash (CVE-2014-7169) and all major distributions have updated their bash packages. If you haven't done so, update all copies of bash again using the instructions below.
Earlier today serious vulnerabilities in bash were discovered (CVE-2014-6271 aka Shellshock or "Bash Bug") which allow arbitrary code execution using specially-crafted environment variables. You can read more about it at Wikipedia.
Buildbox is a platform for automating your build processes using your own scripts (often bash
scripts) with data being passed to them from the build-agent using environment variables (configured via the web interface), and we've been working hard to fully investigate the attack as well as rolling out numerous fixes to help protect all customers.
Steps we've taken in the past 24 hours:
()
). This will help to protect your build agents from being compromised via the Buildbox web interface.Even though we've taken these steps, it's still extremely important that you update bash on your build servers.
Steps you need to take immediately:
sudo apt-get update && sudo apt-get install --only-upgrade bash
sudo yum update bash
We'll continue to monitor the vulnerability and roll out any further fixes as they come to light, as well as updating this blog post and tweeting from @buildbox.
If you need assistance on updating your server, or have any questions, send an email support@buildkite.com.
Buildkite is the fastest, most secure way to test and deploy code at any scale.
Our self-hosted agents work in your environment with any source code tool, platform and language including but not limited to Ruby, Xcode, Go, Node, Python, Java, Haskell, .NET or pre-release tools.