nanog mailing list archives
Re: update
From: Spencer Gaw <spencerg () frii net>
Date: Wed, 24 Sep 2014 13:38:09 -0600
Keeping silent after the embargo is over isn't doing anyone any favors. I think Florian said it best in his most recent message:
"In this particular case, I think we had to publish technical details so that those who cannot patch immediately can at least try to mitigate this vulnerability using filters on devices in front of web servers, or tools like mod_security. And without the technical details, I doubt this vulnerability would have received the attention it deserves until someone figures things out. We could easily have obfuscated the patch to delay this, but what's the point?"
For anyone that would like to see if a system is vulnerable:
|env x='() { :;}; echo vulnerable' bash -c "echo this is a test"|
If you receive the echo output, your version of bash is affected.
Regards,
SG
On 9/24/2014 1:10 PM, Randy Bush wrote:
See: http://seclists.org/oss-sec/2014/q3/650sigh. i am well aware of it but saw no benefit for further blabbing a vuln randy
Current thread:
- update Randy Bush (Sep 24)
- Re: update Jared Mauch (Sep 24)
- Re: update Spencer Gaw (Sep 24)
- Re: update Randy Bush (Sep 24)
- Re: update Spencer Gaw (Sep 24)
- Re: update Randy Bush (Sep 24)
- Re: update Hugo Slabbert (Sep 24)
- Re: update JoeSox (Sep 25)
- Re: update Joly MacFie (Sep 25)
- Re: update Randy Bush (Sep 24)
- Re: update Brandon Whaley (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update Michael Thomas (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update Alain Hebert (Sep 24)