"Shellshock" bash bug
Gene Heskett
gheskett at wdtv.com
Sat Sep 27 00:33:27 UTC 2014
On Friday 26 September 2014 17:50:25 Colin Law did opine
And Gene did reply:
> On 26 September 2014 22:41, Rashkae <ubuntu at tigershaunt.com> wrote:
> > On 14-09-26 05:17 PM, Colin Law wrote:
> >> On 26 September 2014 16:43, Kevin O'Gorman <kogorman at gmail.com>
wrote:
> >>> There has been a code-injection vulnerability in bash for the last
> >>> 22 years, recently discovered and named "Shellshock". It's nasty.
> >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
> >>
> >> I don't fully understand the description. I have a system that
> >> cannot be updated that has an ssh port open to the internet, with
> >> access by keys only. Is that system vulnerable to attack?
> >>
> >> Colin
> >
> > Not directly.... Although, with a hole that big, I wouldn't be
> > surprise if people keeping finding new and clever ways to get at it.
> >
> > If you have ssh access, why can't you upload the bash .deb and
> > install it? (dpkg -i whatever_package.deb) This one is much easier
> > to patch than all those heartbleed problems.
>
> It is a sheeva plug computer with an Arm processor. Jaunty was the
> last ubuntu version that supported the chip.
>
> It seems however that my initial assumption is correct, that if they
> cannot login as they do not have the key then they cannot exploit the
> vulnerability.
We are being told by the finders that no login is needed.
> If someone manages to crack the key and login then the vulnerability
> is the least of my worries I think.
>
> Colin
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS
More information about the ubuntu-users
mailing list