"Shellshock" bash bug
Colin Law
clanlaw at gmail.com
Fri Sep 26 21:50:25 UTC 2014
On 26 September 2014 22:41, Rashkae <ubuntu at tigershaunt.com> wrote:
> On 14-09-26 05:17 PM, Colin Law wrote:
>>
>> On 26 September 2014 16:43, Kevin O'Gorman <kogorman at gmail.com> wrote:
>>
>>> There has been a code-injection vulnerability in bash for the last 22
>>> years, recently discovered and named "Shellshock". It's nasty.
>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>>>
>>
>> I don't fully understand the description. I have a system that cannot be
>> updated that has an ssh port open to the internet, with access by keys
>> only. Is that system vulnerable to attack?
>>
>> Colin
>
>
>
> Not directly.... Although, with a hole that big, I wouldn't be surprise if
> people keeping finding new and clever ways to get at it.
>
> If you have ssh access, why can't you upload the bash .deb and install it?
> (dpkg -i whatever_package.deb) This one is much easier to patch than all
> those heartbleed problems.
It is a sheeva plug computer with an Arm processor. Jaunty was the
last ubuntu version that supported the chip.
It seems however that my initial assumption is correct, that if they
cannot login as they do not have the key then they cannot exploit the
vulnerability.
If someone manages to crack the key and login then the vulnerability
is the least of my worries I think.
Colin
More information about the ubuntu-users
mailing list