BASH security vulnerability

Israel israeldahl at gmail.com
Thu Oct 9 01:26:16 UTC 2014 

Hi Marc,
I'd like to reiterate what Lars said.
The bug was patched almost as soon as the news broke.  It was seemless.
However, Apple users had to wait a week or so for an update.  We got it
MUCH faster, and they are 'known' for security.

After the story broke I ran sudo apt-get update && sudo apt-get upgrade
and sure enough... bash was there
Then I saw bash appear again a couple of times when new vulnerabilities
were discovered.

What this basically means is:

LOTS of BIG companies are REALLY interested in keeping Linux secure.

Examples of big companies that use Ubuntu, and rely on it:

Google
Facebook
Wikipedia
IBM (released a new server with support ONLY for Ubuntu... not even RHEL
or Oracle)
Steam

Nearly all of the supercomputers in the world run Linux.
Nearly all of the smartphones run Linux.

There are*lots *of people who look for problems in the underlying
structure.  Lots of people investing lots of money into making sure
everything gets fixed.

But of course, this is mainly for the kernel and underlying mechanisms. 
Not too many big companies invest in LXDE, or XFCE... though I suppose
RHEL invests in Gnome, so we get some trickle-down from the improved
programs there.


On 10/08/2014 02:57 PM, Lars Noodén wrote:
>> The Shellshock vulnerability.
> Desktops were largely unaffected.  The machines that were vulnerable
> were primarily servers that met three conditions:
>
> a. running publicly available scripts
>
> b. those scripts were shell scripts, which is in itself rare as perl,
> python, php are common.
>
> c. those shell scripts were running bash instead of sh, ash or dash
> (ubuntu's default for scripts), which is rare for even for public shell
> scripts.
>
> However, given the large number of servers potentially affected, there
> were some that turned out to be vulnerable.  I'm not sure if the dhcp
> client specific to (L)Ubuntu was potentially affected or not.  But for
> the most part, despite having bash, desktops are not vulnerable because
> they are not set up to offer bash (or any other) scripts to outsiders.
>
> About the patching.  Ubuntu patched quickly and a normal update fixes
> the problem(s).
>
>  http://www.ubuntu.com/usn/usn-2364-1/
>  http://www.ubuntu.com/usn/usn-2363-2/
>  http://www.ubuntu.com/usn/usn-2363-1/
>  http://www.ubuntu.com/usn/usn-2362-1/
>
> There's not a proper date-time stamp on Ubuntu's announcements above,
> but the first one at least was right quick more or less concurrent with
> the public announcement.  Yes, CVE-2014-6271 and co were a big deal due
> to a really unfortunate misfeature but part of the visibility is due to
> media's enthusiasm for man-bites-dog stories combined with other
> interested marketing the heck out of said bugs.
>
> Lastly, extreme bugs like this and the previous server bug have been
> rare which is part of the reason antagonists go out and market the bugs
> under a brand name.  The other one even had a company go out and
> register a web site and hire a web developer to prepare promotional
> materials prior to announcing the bug.
>
> So given the visibility I understand the concern.
>
> Regards,
> /Lars
>


-- 
Regards

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/lubuntu-users/attachments/20141008/73219009/attachment.html>

More information about the Lubuntu-users mailing list