"Shellshock" bash bug
Colin Law
clanlaw at gmail.com
Sat Sep 27 06:50:07 UTC 2014
On 26 September 2014 22:50, Colin Law <clanlaw at gmail.com> wrote:
> On 26 September 2014 22:41, Rashkae <ubuntu at tigershaunt.com> wrote:
>> On 14-09-26 05:17 PM, Colin Law wrote:
>>>
>>> On 26 September 2014 16:43, Kevin O'Gorman <kogorman at gmail.com> wrote:
>>>
>>>> There has been a code-injection vulnerability in bash for the last 22
>>>> years, recently discovered and named "Shellshock". It's nasty.
>>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>>>>
>>>
>>> I don't fully understand the description. I have a system that cannot be
>>> updated that has an ssh port open to the internet, with access by keys
>>> only. Is that system vulnerable to attack?
>>>
>>> Colin
>>
>>
>>
>> Not directly.... Although, with a hole that big, I wouldn't be surprise if
>> people keeping finding new and clever ways to get at it.
>>
>> If you have ssh access, why can't you upload the bash .deb and install it?
>> (dpkg -i whatever_package.deb) This one is much easier to patch than all
>> those heartbleed problems.
>
> It is a sheeva plug computer with an Arm processor. Jaunty was the
> last ubuntu version that supported the chip.
There may be a solution that will close the hole anyway, which is
certainly a good idea even if I am not actually at risk, which is to
patch and build bash, which it seems is simpler than might have been
thought, assuming this link can be believed.
http://superuser.com/questions/816787/how-do-i-patch-the-shellshock-vulnerability-on-an-obsolete-ubuntu-system-that-i
Colin
More information about the ubuntu-users
mailing list