BASH security vulnerability

Andre Rodovalho andre.rodovalho at gmail.com
Wed Oct 8 20:35:53 UTC 2014


Jesus, people are comparing Win7 security with Linux?

Tell those guys not to worry, in case of doubt, hire a serious security
consulting agency...

2014-10-08 16:57 GMT-03:00 Lars Noodén <lars.nooden at gmail.com>:

> > The Shellshock vulnerability.
>
> Desktops were largely unaffected.  The machines that were vulnerable
> were primarily servers that met three conditions:
>
> a. running publicly available scripts
>
> b. those scripts were shell scripts, which is in itself rare as perl,
> python, php are common.
>
> c. those shell scripts were running bash instead of sh, ash or dash
> (ubuntu's default for scripts), which is rare for even for public shell
> scripts.
>
> However, given the large number of servers potentially affected, there
> were some that turned out to be vulnerable.  I'm not sure if the dhcp
> client specific to (L)Ubuntu was potentially affected or not.  But for
> the most part, despite having bash, desktops are not vulnerable because
> they are not set up to offer bash (or any other) scripts to outsiders.
>
> About the patching.  Ubuntu patched quickly and a normal update fixes
> the problem(s).
>
>  http://www.ubuntu.com/usn/usn-2364-1/
>  http://www.ubuntu.com/usn/usn-2363-2/
>  http://www.ubuntu.com/usn/usn-2363-1/
>  http://www.ubuntu.com/usn/usn-2362-1/
>
> There's not a proper date-time stamp on Ubuntu's announcements above,
> but the first one at least was right quick more or less concurrent with
> the public announcement.  Yes, CVE-2014-6271 and co were a big deal due
> to a really unfortunate misfeature but part of the visibility is due to
> media's enthusiasm for man-bites-dog stories combined with other
> interested marketing the heck out of said bugs.
>
> Lastly, extreme bugs like this and the previous server bug have been
> rare which is part of the reason antagonists go out and market the bugs
> under a brand name.  The other one even had a company go out and
> register a web site and hire a web developer to prepare promotional
> materials prior to announcing the bug.
>
> So given the visibility I understand the concern.
>
> Regards,
> /Lars
>
> --
> Lubuntu-users mailing list
> Lubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/lubuntu-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/lubuntu-users/attachments/20141008/702c8a0f/attachment-0001.html>


More information about the Lubuntu-users mailing list