------------------------------------------------------------------------------ SUMMARY : BalaBit products are not exposed to CVE-2014-6271 PACKAGE : Shell Control Box, syslog-ng Store Box, syslog-ng PE VERSION : All versions DATE : Sep 26, 2014 ------------------------------------------------------------------------------ DESCRIPTION: As published a few days ago, a bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems. The BalaBit Security Team has analyzed the source code of all supported versions of every BalaBit products, and concluded that although our products contain the impacted version of Bash, none of our products are exploitable by the vulnerability described in CVE-2014-6271 aka. 'Shell Shock' or 'Bash vulnerability'. We will incorporate the required Bash patches in the next regular security updates. The following product versions were analyzed: syslog-ng PE 4.0: There is no attack vector in this product. 5.0: There is no attack vector in this product. 5.1: There is no attack vector in this product. SSB 3.0: The code review showed no vulnerable code. 3.1: The code review showed no vulnerable code. 3.2: The code review showed no vulnerable code. SCB 3.0: The code review showed no vulnerable code. 3.5: The code review showed no vulnerable code. 4.0: The code review showed no vulnerable code. For further information regarding the vulnerability, please consult: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 Best Regards, BalaBit You are receiving this email because you showed interest in our products. Unsubscribe <http://www.balabit.com/newsletter/unsubscribe/4398019b4f2681fdce75b07177a6376942acc171/70ad6e5f080b1071> from the syslog-ng Premium Edition Technical Newsletter.