nanog mailing list archives

Re: update

From: Michael Thomas <mike () mtcc com>
Date: Wed, 24 Sep 2014 15:35:40 -0700


On 9/24/14, 3:27 PM, Jim Popovitch wrote:

On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg () gmail com> wrote:

The scope of the issue isn't limited to SSH, that's just a popular
example people are using.  Any program calling bash could potentially
be vulnerable.

Agreed.  My point was that bash is not all that popular on
debian/ubuntu for accounts that would be running public facing
services that would be processing user defined input (www-data,
cgi-bin, list, irc, lp, mail, etc).  Sure some non-privileged user
could host their own cgi script on >:1024, but that's not really a
critical "stop the presses!!" upgrade issue, imho.

This is already made it to /. so I'm not sure why Randy was being sohush hush...

But my read is that this could affect anything that calls bash to doprocessing, likehanding off to CGI by putting in headers to p0wn the box. Also: bash isincrediblypervasive though any unix disto, in not at all obvious places, so Iwouldn't be

complacent about this at all.

Mike

Current thread:

Re: update, (continued)
- Re: update Spencer Gaw (Sep 24)
  - Re: update Randy Bush (Sep 24)
    - Re: update Spencer Gaw (Sep 24)
    - Re: update Randy Bush (Sep 24)
    - Re: update Hugo Slabbert (Sep 24)
    - Re: update JoeSox (Sep 25)
    - Re: update Joly MacFie (Sep 25)
- Re: update Jim Popovitch (Sep 24)
  - Re: update Brandon Whaley (Sep 24)
    - Re: update Jim Popovitch (Sep 24)
    - Re: update Michael Thomas (Sep 24)
    - Re: update Jim Popovitch (Sep 24)
    - Re: update Alain Hebert (Sep 24)
    - Re: update Valdis . Kletnieks (Sep 24)
    - Re: update Jim Popovitch (Sep 24)
    - Re: update Daniel Jackson (Sep 24)
    - Re: update Chris Adams (Sep 24)
    - Re: update Jimmy Hess (Sep 24)
    - Re: update William Herrin (Sep 24)
    - Re: update Jim Popovitch (Sep 24)
    - Re: update William Herrin (Sep 24)

(Thread continues...)