RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code

[Sona Sarmadi <sona.sarmadi () enea com>]

> Sona,
>
> Oh, I didn't realize you actually are with a distro vendor:
>
> "Enea Linux is a Yocto-based Linux distribution targeted for communication
> and networking solutions."
>
> Then you do in fact have a valid reason to test for and patch the individual
> bugs even when they're no longer security relevant.  My advice is that if you
> feel you're a "non-expert" in bash bugs, you simply apply all bash upstream's
> patches, and keep adding them to your package of bash as more upstream
> patches become available.  You do not need to issue security advisories (or
> whatever you normally do when fixing security vulnerabilities) each time: it's
> sufficient to do that once, when you've just included the prefix/suffix patch
> (bash43-027 or equivalent).  Once you have bash43-027, further patches to
> bash are no different than e.g. the many patches that are issued for VIM (a
> project that tends to release hundreds of post-release patches, most of
> them non-security).
>
> I hope this helps.
>
> Alexander

Thanks Alexander, 

Yes you are right, I am one of the distro vendors which is unfortunately not on the closed list so we only found out 
about this vulnerability when it became public. We are trying to provide correct patches and advisories to our affected 
customers as soon as possible. We have time pressure on us, we need to act quickly, we appreciate all the help we get 
from the community. We also try to contribute to Open Embedded(OE) and Yocto.  We have applied all these patches as 
soon as they became available, tested them and sent updates to our customers.  I am now trying to upstream the patches 
to OE/Yocto.  I am in the process of validating these fixes for different architectures. I want to be sure about each 
patch and test case before sending to OE. I think it is good that someone applies these patches into OE/yocto recipes 
so that all Yocto users can get the corrections automatically instead of having to perform all the manual work 
themselves.

A while ago I sent a membership request to the closed vendor list and was denied by you & Kurt :) which was 
understandable since we were not ready at that time. After that we have worked hard to create a security team and build 
in-house security competence. We have been looking at security tests and tools, define a security incident management 
processes, create security checklist, we have been tracking all security vulnerabilities. As part of our security 
process we have insured that our bug tracking system has in-built security so sensitive/embargoed information can be 
kept confidential.

 For an overview please see our security web page: http://www.enea.com/solutions/Enea-Linux/Security/  and  wiki-vendor 
list: http://oss-security.openwall.org/wiki/vendors.
 
I have been in the oss-security list for more than one year and have been reading all posts there, I see that you guys 
are doing an amazing work. I want to take this opportunity and thank you for your hard work.
 
Unfortunately we haven't been able to help this community/list so far since we have been very busy building our own 
in-house security but hopefully we will get the opportunity in the future. Right now I am trying to bring security to 
the Yocto community so we can work together and secure Yocto Linux and other open source products used in the Yocto 
project.

When do you think we (Enea) are ready for membership on the closed vendor list? What else do you think we need to do?

Best Regards
Sona 
-----
ESRT  (Enea Security Response Team)