nanog mailing list archives
Re: update
From: Alain Hebert <ahebert () pubnix net>
Date: Wed, 24 Sep 2014 18:58:23 -0400
On 09/24/14 18:50, Jim Popovitch wrote:
On Sep 24, 2014 6:39 PM, "Michael Thomas" <mike () mtcc com> wrote:On 9/24/14, 3:27 PM, Jim Popovitch wrote:On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg () gmail com>wrote:The scope of the issue isn't limited to SSH, that's just a popular example people are using. Any program calling bash could potentially be vulnerable.Agreed. My point was that bash is not all that popular on debian/ubuntu for accounts that would be running public facing services that would be processing user defined input (www-data, cgi-bin, list, irc, lp, mail, etc). Sure some non-privileged user could host their own cgi script on >:1024, but that's not really a critical "stop the presses!!" upgrade issue, imho.This is already made it to /. so I'm not sure why Randy was being so hushhush...But my read is that this could affect anything that calls bash to doprocessing, likehanding off to CGI by putting in headers to p0wn the box. Also: bash isincrediblypervasive though any unix disto, in not at all obvious places, so Iwouldn't becomplacent about this at all. MikeIf someone is already invoking #!/bin/bash from a cgi, then they are already doing it wrong (bash has massive bloat/overhead for a CGI script). But I do agree, it's hard to know exactly what idiots do. :-)
Maybe just mis-informed, they become idiots if they keep doing it after someone pointed it to them =D
-Jim P.
Current thread:
- Re: update, (continued)
- Re: update Spencer Gaw (Sep 24)
- Re: update Randy Bush (Sep 24)
- Re: update Hugo Slabbert (Sep 24)
- Re: update JoeSox (Sep 25)
- Re: update Joly MacFie (Sep 25)
- Re: update Brandon Whaley (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update Michael Thomas (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update Alain Hebert (Sep 24)
- Re: update Valdis . Kletnieks (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update Daniel Jackson (Sep 24)
- Re: update Chris Adams (Sep 24)
- Re: update Jimmy Hess (Sep 24)
- Re: update William Herrin (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update William Herrin (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update William Herrin (Sep 24)