BASH security vulnerability
Lars Noodén
lars.nooden at gmail.com
Wed Oct 8 19:57:28 UTC 2014
> The Shellshock vulnerability.
Desktops were largely unaffected. The machines that were vulnerable
were primarily servers that met three conditions:
a. running publicly available scripts
b. those scripts were shell scripts, which is in itself rare as perl,
python, php are common.
c. those shell scripts were running bash instead of sh, ash or dash
(ubuntu's default for scripts), which is rare for even for public shell
scripts.
However, given the large number of servers potentially affected, there
were some that turned out to be vulnerable. I'm not sure if the dhcp
client specific to (L)Ubuntu was potentially affected or not. But for
the most part, despite having bash, desktops are not vulnerable because
they are not set up to offer bash (or any other) scripts to outsiders.
About the patching. Ubuntu patched quickly and a normal update fixes
the problem(s).
http://www.ubuntu.com/usn/usn-2364-1/
http://www.ubuntu.com/usn/usn-2363-2/
http://www.ubuntu.com/usn/usn-2363-1/
http://www.ubuntu.com/usn/usn-2362-1/
There's not a proper date-time stamp on Ubuntu's announcements above,
but the first one at least was right quick more or less concurrent with
the public announcement. Yes, CVE-2014-6271 and co were a big deal due
to a really unfortunate misfeature but part of the visibility is due to
media's enthusiasm for man-bites-dog stories combined with other
interested marketing the heck out of said bugs.
Lastly, extreme bugs like this and the previous server bug have been
rare which is part of the reason antagonists go out and market the bugs
under a brand name. The other one even had a company go out and
register a web site and hire a web developer to prepare promotional
materials prior to announcing the bug.
So given the visibility I understand the concern.
Regards,
/Lars
More information about the Lubuntu-users
mailing list