bash bug

Verdi R-D verdi at azend.org
Sat Sep 27 01:15:16 UTC 2014


It looks like there's another patch on the way.

http://arstechnica.com/security/2014/09/new-shellshock-patch-rushed-out-to-resolve-gaps-in-first-fix/

On Fri, Sep 26, 2014 at 8:10 PM, Stephen M. Webb <stephen.webb at canonical.com
> wrote:

> On 09/26/2014 05:55 PM, Raymond House wrote:
> > Hi, all the reports about this bug that I read say that Linux is in it's
> crosshaires,got an update yesterday that
> > was about bash, was this a patch? Strange, that there is not a sound on
> here about that supposedly dangerous bug
> > for linux users.
>
> You should be aware that the bash bug is only a vulnerability if you have
> some way for a bad guy to get access to your
> machine and explicitly run bash, and then exploit that to escalate
> privileges.  It's a concern for a server that runs
> bash-based CGI scripts (which is in fact pretty rare), and there are
> misconfigured routers out there that may fall
> into this category, but by and large it's unlikely to affect a normal home
> computer of any description.
>
> The bug does not affect the majority of CGI scripts (server-side programs
> that provide dynamic web pages) which are
> not written using bash.  The default shell in Ubuntu is not bash (Ubuntu
> uses dash, which does not have the
> vulnerability), you would need to go out of your way to use bash.
>
> Nevertheless, installing the patch will eliminate any possibility of your
> system being exploited through that bug.
> The wider concern is the firmware in routers and old old web services.
>
> Most of the noise is because systems are by and large very secure these
> days, and the security industry has become
> cutthroat since the old and leaky Windows systems are all being retired.
> Today's Microsft Windows systems are pretty
> tight.  The consumer-grade security industry is starving and they're
> getting pretty shrill in their death throes.
>
> --
> Stephen M. Webb  <stephen at ubuntu.com>
> https://launchpad.net/~bregma
>
> --
> ubuntu-ca mailing list
> ubuntu-ca at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>



-- 
I prefer to talk in private. Click here
<http://azend.org/resc/static/signature.asc> to get my PGP key.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-ca/attachments/20140926/961bc629/attachment.html>


More information about the ubuntu-ca mailing list