[kwlug-disc] Vulnerability in bash
CrankyOldBugger
crankyoldbugger at gmail.com
Thu Sep 25 10:36:01 EDT 2014
The CBC agrees with you:
http://www.cbc.ca/news/technology/new-bash-computer-bug-may-be-worse-than-heartbleed-1.2777514?cmp=rss
And we know how reporters never exaggerate when it comes to technology!
On 25 September 2014 09:43, Fernando Duran <liberosec at yahoo.ca> wrote:
> Oh dear, this is going to be worse than Heartbleed.
>
> I saw this yesterday and I'm terrified, for ex see this guy very easily
> making a remote server execute arbitrary commands (in this case just a
> ping):
> http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html
>
> More analysis today:
> http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
>
> sigh
>
> ---------------------
> Fernando Duran
> http://www.fduran.com
>
>
> On Thursday, September 25, 2014 9:36 AM, Khalid Baheyeldin <kb at 2bits.com>
> wrote:
>
>
> >
> >
> >The test for the vulnerability is typing this in a bash shell:
> >
> >env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> >
> >
> >If you get just "this is a test" with some warnings, then you are not
> vulnerable.
> >If you get "vulnerable" as part of the output, then you are.
> >
> >Like many who run a Debian based distro, I use apticron to get email
> notifications of updates to the exact packages that I have installed. I got
> notified yesterday noon-ish of the update and got it installed.
> >
> >I did not need to reboot nor start the shells I have open in screen. The
> output of the test above says I am not vulnerable, but I did not do a
> before and after on the same machine (although a pristine virtual image
> does show it is vulnerable).
> >
> >
> >So, don't think a shell restart is necessary based on the tests above.
> How is this done? I don't know. There are no shared libraries included in
> the package (dpkg -L bash).
> >
> >
> >
> >On Thu, Sep 25, 2014 at 1:05 AM, B.S. <bs27975 at yahoo.ca> wrote:
> >
> >On Wed, 24 Sep 2014 23:21:57 -0400
> >>"L.D. Paniak" <ldpaniak at fourpisolutions.com> wrote:
> >>
> >>> The list should be aware of a newly-announced and particularly nasty
> >>> parsing bug with all versions of bash:
> >>>
> >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
> >>>
> >>> The combination of "network exploitable" and "authentication not
> >>> required" make this a "10" on the severity scale.
> >>>
> >>> Updated packages for current versions of Ubuntu look to have been
> >>> pushed out earlier today:
> >>> https://launchpad.net/ubuntu/+source/bash
> >>
> >>Presumably, at the least, a post-update logout/login will be necessary
> >>on each machine, if not an entire reboot. (Care to trust that ALL
> >>scripts run between turn on and user prompt use sh not bash? And that
> >>sh hasn't been inadvertently equivalenced to bash?)
> >>
> >>Given that most of us probably have a command line up (outside of any
> >>GUI too!), and thus in memory. Updating will catch any new instances,
> >>but not those you're already in the middle of.
> >>
> >>I suppose this means rebooting all servers, too. <sigh?>
> >>
> >>I wonder if we should expect to see some further script updates to
> >>follow. i.e. 'Inadvertent' taking advantage of 'hole' for non-nefarious
> >>purposes now needing tweaking due to the update. (e.g. Things becoming
> >>broken, albeit things originally written with the best of intentions.)
> >>
> >>
> >>
> >>_______________________________________________
> >>kwlug-disc mailing list
> >>kwlug-disc at kwlug.org
> >>http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> >>
> >
> >
> >--
> >Khalid M. Baheyeldin
> >2bits.com, Inc.
> >Fast Reliable Drupal
> >Drupal optimization, development, customization and consulting.
> >Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> >Simplicity is the ultimate sophistication. -- Leonardo da Vinci
> >For every complex problem, there is an answer that is clear, simple, and
> wrong." -- H.L. Mencken
> >
> >
> >_______________________________________________
> >kwlug-disc mailing list
> >kwlug-disc at kwlug.org
> >http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> >
> >
> >
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140925/d228337f/attachment.htm>
More information about the kwlug-disc
mailing list