Stephen M. Webb
stephen.webb at canonical.com
Sat Sep 27 00:10:57 UTC 2014
On 09/26/2014 05:55 PM, Raymond House wrote:
> Hi, all the reports about this bug that I read say that Linux is in it's crosshaires,got an update yesterday that
> was about bash, was this a patch? Strange, that there is not a sound on here about that supposedly dangerous bug
> for linux users.
You should be aware that the bash bug is only a vulnerability if you have some way for a bad guy to get access to your
machine and explicitly run bash, and then exploit that to escalate privileges. It's a concern for a server that runs
bash-based CGI scripts (which is in fact pretty rare), and there are misconfigured routers out there that may fall
into this category, but by and large it's unlikely to affect a normal home computer of any description.
The bug does not affect the majority of CGI scripts (server-side programs that provide dynamic web pages) which are
not written using bash. The default shell in Ubuntu is not bash (Ubuntu uses dash, which does not have the
vulnerability), you would need to go out of your way to use bash.
Nevertheless, installing the patch will eliminate any possibility of your system being exploited through that bug.
The wider concern is the firmware in routers and old old web services.
Most of the noise is because systems are by and large very secure these days, and the security industry has become
cutthroat since the old and leaky Windows systems are all being retired. Today's Microsft Windows systems are pretty
tight. The consumer-grade security industry is starving and they're getting pretty shrill in their death throes.
Stephen M. Webb <stephen at ubuntu.com>
More information about the ubuntu-ca