<meta content="text/html; charset=windows-1252"
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Marc,<br>
I'd like to reiterate what Lars said.<br>
The bug was patched almost as soon as the news broke. It was
However, Apple users had to wait a week or so for an update. We
got it MUCH faster, and they are 'known' for security.<br>
After the story broke I ran sudo apt-get update && sudo
apt-get upgrade and sure enough... bash was there<br>
Then I saw bash appear again a couple of times when new
vulnerabilities were discovered.<br>
What this basically means is:<br>
LOTS of BIG companies are REALLY interested in keeping Linux
Examples of big companies that use Ubuntu, and rely on it:<br>
IBM (released a new server with support ONLY for Ubuntu... not
even RHEL or Oracle)<br>
Nearly all of the supercomputers in the world run Linux.<br>
Nearly all of the smartphones run Linux.<br>
There are<b> lots </b>of people who look for problems in the
underlying structure. Lots of people investing lots of money into
making sure everything gets fixed.<br>
But of course, this is mainly for the kernel and underlying
mechanisms. Not too many big companies invest in LXDE, or XFCE...
though I suppose RHEL invests in Gnome, so we get some
trickle-down from the improved programs there.<br>
On 10/08/2014 02:57 PM, Lars Noodén wrote:<br>
<blockquote cite="mid:email@example.com" type="cite">
<pre wrap="">The Shellshock vulnerability.
Desktops were largely unaffected. The machines that were vulnerable
were primarily servers that met three conditions:
a. running publicly available scripts
b. those scripts were shell scripts, which is in itself rare as perl,
python, php are common.
c. those shell scripts were running bash instead of sh, ash or dash
(ubuntu's default for scripts), which is rare for even for public shell
However, given the large number of servers potentially affected, there
were some that turned out to be vulnerable. I'm not sure if the dhcp
client specific to (L)Ubuntu was potentially affected or not. But for
the most part, despite having bash, desktops are not vulnerable because
they are not set up to offer bash (or any other) scripts to outsiders.
About the patching. Ubuntu patched quickly and a normal update fixes
<a class="moz-txt-link-freetext" href="http://www.ubuntu.com/usn/usn-2364-1/">http://www.ubuntu.com/usn/usn-2364-1/</a>
<a class="moz-txt-link-freetext" href="http://www.ubuntu.com/usn/usn-2363-2/">http://www.ubuntu.com/usn/usn-2363-2/</a>
<a class="moz-txt-link-freetext" href="http://www.ubuntu.com/usn/usn-2363-1/">http://www.ubuntu.com/usn/usn-2363-1/</a>
<a class="moz-txt-link-freetext" href="http://www.ubuntu.com/usn/usn-2362-1/">http://www.ubuntu.com/usn/usn-2362-1/</a>
There's not a proper date-time stamp on Ubuntu's announcements above,
but the first one at least was right quick more or less concurrent with
the public announcement. Yes, CVE-2014-6271 and co were a big deal due
to a really unfortunate misfeature but part of the visibility is due to
media's enthusiasm for man-bites-dog stories combined with other
interested marketing the heck out of said bugs.
Lastly, extreme bugs like this and the previous server bug have been
rare which is part of the reason antagonists go out and market the bugs
under a brand name. The other one even had a company go out and
register a web site and hire a web developer to prepare promotional
materials prior to announcing the bug.
So given the visibility I understand the concern.
<pre class="moz-signature" cols="72">--