"Shellshock" bash bug
Rashkae
ubuntu at tigershaunt.com
Fri Sep 26 21:57:00 UTC 2014
On 14-09-26 05:50 PM, Colin Law wrote:
>
> It is a sheeva plug computer with an Arm processor. Jaunty was the
> last ubuntu version that supported the chip.
>
> It seems however that my initial assumption is correct, that if they
> cannot login as they do not have the key then they cannot exploit the
> vulnerability.
>
> If someone manages to crack the key and login then the vulnerability
> is the least of my worries I think.
>
> Colin
>
As far as ssh goes, that is correct, your attack surface there is pretty
small, but you have to be careful about anything else, such as web cgi
scripts, or even a default install of Apache, which can try to fork a
process with bash. Also, dhcpclient is vulnerable, if the computer ever
tries to get a dhcp address from a a bad dhcp server.
More information about the ubuntu-users
mailing list