[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
As those who read the Redhat bug report on the 24th will know - the first patch for Bash was incomplete. You need to have installed a Bash patch today (or overnight if you are my Debian boxes) as well. 2014-09-25 04:34:58 status installed bash:i386 4.2+dfsg-0.1+deb7u1 2014-09-26 04:47:18 status installed bash:i386 4.2+dfsg-0.1+deb7u3 u2? Apple probably gave it away? Realistically Bash has a manually written parser, this may not be the the last such issue. Switching to a simpler shell for things might be a plausible approach to reduce risk. Although I haven't established if dash has a manually written parser. Anyone know? Any recommendations (Bad Apple, Martyn?). Also avoid shelling out, particularly from web applications, when you can exec a program directly, to side step shells entirely. I know I wrote some 10 lines ENV stuff for Apache in a previous role, although hopefully it is all "dash" as it is on Debian. The second vulnerability might also affect zsh according to one contributor to the Redhat bug report. Patch again, take stock, do things differently going forward. So far only exploitable vulnerability we've found in our stuff was the really expensive proprietary load balancer, and that required you to be an authenticated user, but that is mostly luck and a lot of Java (which tends not to do the shelling out, and if it does sticks it behind layers and layers of code. I suspect also that we've been patching more than looking. I have some cool web testing tools sorted to find if it is exploitable, but patch and it won't work. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq