Internet2 Update Regarding Shellshock

[Paul Howell <phowell () INTERNET2 EDU>]

As you are all aware, "shellshock" in Bash allowed attackers to potentially gain unauthorized access to certain 
computer systems and applications.  Given the wide use of Bash in many operating systems and applications, updating you 
on the patch status of Internet2 seemed appropriate.    Following are the highlights:

Presently all services running that support the Internet2 Network at Internet2 and at our operations center at Indiana 
University have been patched. In addition, Internet2's internal systems, including InCommon, have been patched.

Internet2 is working with its partners to rapidly update open source development packages it supports, such as 
perfSONAR, as patches become available for the Bash shell on the operating systems upon which perfSONAR may be 
deployed. Although there is no known direct vulnerability in the perfSONAR software distribution itself, the team has 
been working with community members to address known vulnerabilities in the underlying operating systems that are 
bundled with perfSONAR toolkits and will continue to monitor ongoing security-related patches.

Internet2 NET+ service providers have, where applicable, already taken steps to notify existing participants regarding 
remediation and scope of effect for their various service offerings. While Internet2 is aware of the community concerns 
around this and future incidents, we are endeavoring to facilitate and encourage direct communication with the service 
providers who will always be the authoritative sources for their offerings.

Please see: https://www.internet2.edu/products-services/support/internet2-shellshock-update/ for a complete update

Regards.
Paul Howell
Chief Cyberinfrastructure Security Officer
Internet2