September 25, 2014

Shellshock Update: Perforce Response to the Bash Bug

Perforce is aware of recent reports on vulnerabilities in 'bash' that allow an attacker to utilize environment variables to execute arbitrary commands on vulnerable systems under specific conditions.

Please note, while there are multiple vulnerabilities in bash, only a couple have been patched at this time. Further patches are expected and should also be applied when available.

We are not aware of any specific vulnerabilities in Perforce software. However, it is possible that custom trigger scripts or other third-party extensions could be impacted. We are continuing to test for any vulnerabilities in Perforce's use of bash, and we will make an immediate announcement if we find any.

This is a critical vulnerability that potentially impacts many systems. Perforce is upgrading all of our external-facing servers with the latest versions of bash. We strongly advised customers to obtain and install the latest version of bash (most commonly achieved by installing system updates).

If you are utilizing a Perforce-provided OVA (Open Virtualization Archive—virtual machine images we make available for Swarm, Git Fusion, Commons and Insights), you can perform this upgrade by running:

  • sudo apt-get update
  • sudo apt-get upgrade

We have also updated our product OVAs to include the patched version of bash. You can download them from our website at...

We will make follow-on updates as further critical patches to bash are released.

Please contact Perforce Support at [email protected] if you have any questions or concerns.