More info at link, including unofficial patch link and another for technical analysis. Anyone familiar with the Shellshock vulnerability previously noted in this forum and the Bash CLI should at least glance at this.
(Note that the timestamp is in the Australian timezone)
1 posted on
09/29/2014 11:22:24 AM PDT by
Utilizer
To: Utilizer
2 posted on
09/29/2014 11:25:40 AM PDT by
Daffynition
("We Are Not Descended From Fearful Men")
To: Utilizer
3 posted on
09/29/2014 11:28:35 AM PDT by
mc5cents
("Resistance to tyranny is obedience to God." - Thomas Jefferson)
To: Utilizer
Oy vey!
“At first sight, the potential for remote exploitation should be limited to CGI scripts that start with #!/bin/bash and to several other programs that explicitly request this particular shell. But there’s a catch: on a good majority of modern Linux systems, /bin/sh is actually a symlink to /bin/bash!
“This means that web apps written in languages such as PHP, Python, C++, or Java, are likely to be vulnerable if they ever use libcalls such as popen() or system(), all of which are backed by calls to /bin/sh -c ‘...’. There is also some added web-level exposure through #!/bin/sh CGI scripts, <!—#exec cmd=”...”> calls in SSI, and possibly more exotic vectors such as mod_ext_filter.
“For the same reason, userland DHCP clients that invoke configuration scripts and use variables to pass down config details are at risk when exposed to rogue servers (e.g., on open wifi). A handful of MTAs, MUAs, or FTP server architectures may be also of concern - in particular, there are third-party reports of qmail installations being at risk.”
4 posted on
09/29/2014 11:32:33 AM PDT by
ConservingFreedom
(A goverrnment strong enough to impose your standards is strong enough to ban them.)
To: ShadowAce
5 posted on
09/29/2014 11:32:47 AM PDT by
Utilizer
(Bacon A'kbar! - In world today are only peaceful people, and the muzlims trying to kill them-)
To: rdb3; Calvinist_Dark_Lord; JosephW; Only1choice____Freedom; amigatec; Ernest_at_the_Beach; ...
6 posted on
09/29/2014 11:39:00 AM PDT by
ShadowAce
(Linux -- The Ultimate Windows Service Pack)
To: Utilizer
However, given that the bash shell is written in Open Source (after all, it is part of UNIX), more complex fixes will probably be out within the next few days anyway. The likes of Red Hat and Canonical probably know how to implement these fixes, too.
7 posted on
09/29/2014 11:43:21 AM PDT by
RayChuang88
(FairTax: America's economic cure)
To: Utilizer
Sloppy Web Site builders making it crap for everyone
8 posted on
09/29/2014 11:48:27 AM PDT by
molson209
(Blank)
To: Utilizer; All
I understand that one of the machines at work has bash, and probably most Macs do.
But I also understand that if users haven’t changed the default security settings of their machines, and many (most?) users probably haven’t, then you’ve still got safety nets.
Insights welcome.
To: All
I looked about and couldn’t find any info but I was wondering how the Shellshock situation came about in the first place. Was it just bad/sloppy coding/design, a problem with the compiler, or something else?
12 posted on
09/29/2014 12:45:05 PM PDT by
Proud_texan
(Strange how paranoia can link up with reality now and then. - PK Dick)
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson
