BASH security vulnerability
Andre Rodovalho
andre.rodovalho at gmail.com
Thu Oct 9 02:58:08 UTC 2014
If you want something to show to the guys on your next meeting, try this:
http://falkvinge.net/2013/11/17/nsa-asked-linus-torvalds-to-install-backdoors-into-gnulinux/
http://www.techrepublic.com/article/how-munich-rejected-steve-ballmer-and-kicked-microsoft-out-of-the-city/
http://www.comparebusinessproducts.com/fyi/50-places-linux-running-you-might-not-expect
http://www.gfi.com/blog/the-most-vulnerable-operating-systems-and-applications-in-2011/
http://www.gfi.com/blog/report-the-most-vulnerable-operating-systems-and-applications-in-2012/
http://www.gfi.com/blog/report-most-vulnerable-operating-systems-and-applications-in-2013/
2014-10-08 22:26 GMT-03:00 Israel <israeldahl at gmail.com>:
> Hi Marc,
> I'd like to reiterate what Lars said.
> The bug was patched almost as soon as the news broke. It was seemless.
> However, Apple users had to wait a week or so for an update. We got it
> MUCH faster, and they are 'known' for security.
>
> After the story broke I ran sudo apt-get update && sudo apt-get upgrade
> and sure enough... bash was there
> Then I saw bash appear again a couple of times when new vulnerabilities
> were discovered.
>
> What this basically means is:
>
> LOTS of BIG companies are REALLY interested in keeping Linux secure.
>
> Examples of big companies that use Ubuntu, and rely on it:
>
> Google
> Facebook
> Wikipedia
> IBM (released a new server with support ONLY for Ubuntu... not even RHEL
> or Oracle)
> Steam
>
> Nearly all of the supercomputers in the world run Linux.
> Nearly all of the smartphones run Linux.
>
> There are* lots *of people who look for problems in the underlying
> structure. Lots of people investing lots of money into making sure
> everything gets fixed.
>
> But of course, this is mainly for the kernel and underlying mechanisms.
> Not too many big companies invest in LXDE, or XFCE... though I suppose RHEL
> invests in Gnome, so we get some trickle-down from the improved programs
> there.
>
>
>
> On 10/08/2014 02:57 PM, Lars Noodén wrote:
>
> The Shellshock vulnerability.
>
> Desktops were largely unaffected. The machines that were vulnerable
> were primarily servers that met three conditions:
>
> a. running publicly available scripts
>
> b. those scripts were shell scripts, which is in itself rare as perl,
> python, php are common.
>
> c. those shell scripts were running bash instead of sh, ash or dash
> (ubuntu's default for scripts), which is rare for even for public shell
> scripts.
>
> However, given the large number of servers potentially affected, there
> were some that turned out to be vulnerable. I'm not sure if the dhcp
> client specific to (L)Ubuntu was potentially affected or not. But for
> the most part, despite having bash, desktops are not vulnerable because
> they are not set up to offer bash (or any other) scripts to outsiders.
>
> About the patching. Ubuntu patched quickly and a normal update fixes
> the problem(s).
>
> http://www.ubuntu.com/usn/usn-2364-1/
> http://www.ubuntu.com/usn/usn-2363-2/
> http://www.ubuntu.com/usn/usn-2363-1/
> http://www.ubuntu.com/usn/usn-2362-1/
>
> There's not a proper date-time stamp on Ubuntu's announcements above,
> but the first one at least was right quick more or less concurrent with
> the public announcement. Yes, CVE-2014-6271 and co were a big deal due
> to a really unfortunate misfeature but part of the visibility is due to
> media's enthusiasm for man-bites-dog stories combined with other
> interested marketing the heck out of said bugs.
>
> Lastly, extreme bugs like this and the previous server bug have been
> rare which is part of the reason antagonists go out and market the bugs
> under a brand name. The other one even had a company go out and
> register a web site and hire a web developer to prepare promotional
> materials prior to announcing the bug.
>
> So given the visibility I understand the concern.
>
> Regards,
> /Lars
>
>
>
>
> --
> Regards
>
>
> --
> Lubuntu-users mailing list
> Lubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/lubuntu-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/lubuntu-users/attachments/20141008/28acc32e/attachment-0001.html>
More information about the Lubuntu-users
mailing list