BASH security vulnerability
andre.rodovalho at gmail.com
Thu Oct 9 02:58:08 UTC 2014
If you want something to show to the guys on your next meeting, try this:
2014-10-08 22:26 GMT-03:00 Israel <israeldahl at gmail.com>:
> Hi Marc,
> I'd like to reiterate what Lars said.
> The bug was patched almost as soon as the news broke. It was seemless.
> However, Apple users had to wait a week or so for an update. We got it
> MUCH faster, and they are 'known' for security.
> After the story broke I ran sudo apt-get update && sudo apt-get upgrade
> and sure enough... bash was there
> Then I saw bash appear again a couple of times when new vulnerabilities
> were discovered.
> What this basically means is:
> LOTS of BIG companies are REALLY interested in keeping Linux secure.
> Examples of big companies that use Ubuntu, and rely on it:
> IBM (released a new server with support ONLY for Ubuntu... not even RHEL
> or Oracle)
> Nearly all of the supercomputers in the world run Linux.
> Nearly all of the smartphones run Linux.
> There are* lots *of people who look for problems in the underlying
> structure. Lots of people investing lots of money into making sure
> everything gets fixed.
> But of course, this is mainly for the kernel and underlying mechanisms.
> Not too many big companies invest in LXDE, or XFCE... though I suppose RHEL
> invests in Gnome, so we get some trickle-down from the improved programs
> On 10/08/2014 02:57 PM, Lars Noodén wrote:
> The Shellshock vulnerability.
> Desktops were largely unaffected. The machines that were vulnerable
> were primarily servers that met three conditions:
> a. running publicly available scripts
> b. those scripts were shell scripts, which is in itself rare as perl,
> python, php are common.
> c. those shell scripts were running bash instead of sh, ash or dash
> (ubuntu's default for scripts), which is rare for even for public shell
> However, given the large number of servers potentially affected, there
> were some that turned out to be vulnerable. I'm not sure if the dhcp
> client specific to (L)Ubuntu was potentially affected or not. But for
> the most part, despite having bash, desktops are not vulnerable because
> they are not set up to offer bash (or any other) scripts to outsiders.
> About the patching. Ubuntu patched quickly and a normal update fixes
> the problem(s).
> There's not a proper date-time stamp on Ubuntu's announcements above,
> but the first one at least was right quick more or less concurrent with
> the public announcement. Yes, CVE-2014-6271 and co were a big deal due
> to a really unfortunate misfeature but part of the visibility is due to
> media's enthusiasm for man-bites-dog stories combined with other
> interested marketing the heck out of said bugs.
> Lastly, extreme bugs like this and the previous server bug have been
> rare which is part of the reason antagonists go out and market the bugs
> under a brand name. The other one even had a company go out and
> register a web site and hire a web developer to prepare promotional
> materials prior to announcing the bug.
> So given the visibility I understand the concern.
> Lubuntu-users mailing list
> Lubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Lubuntu-users