<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi Marc, If I were to make a stand against using *Nix as my OS of choice, the Shellshock problem would not be my final stand. Test : (complements of our FOSS friends): In a "Bash Shell" :-), type: env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo && echo Dont panic, your bash is ok! && echo" Latest version of Bash is 4.3.11 Info: Link: <a class="moz-txt-link-freetext" href="http://www.ubuntu.com/usn/usn-2362-1/">http://www.ubuntu.com/usn/usn-2362-1/</a> aka: The issue is already corrected in Ubuntu: I am an advocate of Linux / FOSS in general. I would much rather have 10's of thousand of folks looking at suspect code, rather than rely on the "word of" a supplier who says "we have a handle on it". If there is any doubt about risk assessment, one only needs to look at the Security fixes publish from one to the other. I monitor (just for personal information) NIST and Ubuntu USN, have done for a long time. I dont recall ever having seen nor read about this issue actually causing a major breach. Not to say it hasn't happened, only that I've not seen nor read about it. If you really need expert advise, I would recommend contacting Canonical directly <meta http-equiv="content-type" content="text/html; charset=windows-1252"> for a commercial statement. <a class="moz-txt-link-freetext" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271</a> Info: Link: <a class="moz-txt-link-freetext" href="http://www.ubuntu.com/usn/">http://www.ubuntu.com/usn/</a> Just MHO. 73's Greg, KI7MT <div class="moz-cite-prefix">On 10/08/2014 01:26 PM, Marc Tremblay wrote: </div> <blockquote cite="mid:857604cb1c0645479325171ad6677ee8@EXMBX2.lbpsb.qc.ca" type="cite"> <pre wrap="">I can't believe I left that out of my email. The Shellshock vulnerability. I apologize for that. -----Original Message----- From: <a class="moz-txt-link-abbreviated" href="mailto:lubuntu-users-bounces@lists.ubuntu.com">lubuntu-users-bounces@lists.ubuntu.com</a> [<a class="moz-txt-link-freetext" href="mailto:lubuntu-users-bounces@lists.ubuntu.com">mailto:lubuntu-users-bounces@lists.ubuntu.com</a>] On Behalf Of John Niendorf Sent: October-08-14 3:25 PM To: <a class="moz-txt-link-abbreviated" href="mailto:lubuntu-users@lists.ubuntu.com">lubuntu-users@lists.ubuntu.com</a> Subject: Re: BASH security vulnerability Hi Marc, Just to be clear, what vulnerability do you mean? John On 10/08/2014 09:22 PM, Marc Tremblay wrote: </pre> <blockquote type="cite"> <pre wrap="">Hello, I work for a school board in Montreal, Quebec and we are transitioning over to GAFE. This transition has allowed the acceptance of Ubuntu (Lubuntu) as a perfect solution for converting our older labs which painfully run on Windows 7. In a meeting this morning the issue of the BASH security vulnerability was brought up as a reason not to go the Ubuntu open source route. I need to find out if this security vulnerability is something we should be worried about to the point of not moving forward with this project. It would mean 1000 of computers being sent for recycling instead of repurposing them with FOSS. Any thoughts?? Marc Tremblay Educational Services Dept Lester B. Pearson School Board 1925 Brookdale Dorval, H9P 2Y7 <a class="moz-txt-link-abbreviated" href="mailto:mtremblay@lbpsb.qc.ca">mtremblay@lbpsb.qc.ca</a> <a class="moz-txt-link-rfc2396E" href="mailto:mtremblay@lbpsb.qc.ca"><mailto:mtremblay@lbpsb.qc.ca></a> </pre> </blockquote> <pre wrap=""> -- Lubuntu-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Lubuntu-users@lists.ubuntu.com">Lubuntu-users@lists.ubuntu.com</a> Modify settings or unsubscribe at: <a class="moz-txt-link-freetext" href="https://lists.ubuntu.com/mailman/listinfo/lubuntu-users">https://lists.ubuntu.com/mailman/listinfo/lubuntu-users</a> </pre> </blockquote> </body> </html>