nanog mailing list archives
Re: update
From: Michael Thomas <mike () mtcc com>
Date: Wed, 24 Sep 2014 15:35:40 -0700
On 9/24/14, 3:27 PM, Jim Popovitch wrote:
On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg () gmail com> wrote:The scope of the issue isn't limited to SSH, that's just a popular example people are using. Any program calling bash could potentially be vulnerable.Agreed. My point was that bash is not all that popular on debian/ubuntu for accounts that would be running public facing services that would be processing user defined input (www-data, cgi-bin, list, irc, lp, mail, etc). Sure some non-privileged user could host their own cgi script on >:1024, but that's not really a critical "stop the presses!!" upgrade issue, imho.
This is already made it to /. so I'm not sure why Randy was being so hush hush...
But my read is that this could affect anything that calls bash to do processing, like handing off to CGI by putting in headers to p0wn the box. Also: bash is incredibly pervasive though any unix disto, in not at all obvious places, so I wouldn't be
complacent about this at all. Mike
Current thread:
- Re: update, (continued)
- Re: update Spencer Gaw (Sep 24)
- Re: update Randy Bush (Sep 24)
- Re: update Spencer Gaw (Sep 24)
- Re: update Randy Bush (Sep 24)
- Re: update Hugo Slabbert (Sep 24)
- Re: update JoeSox (Sep 25)
- Re: update Joly MacFie (Sep 25)
- Re: update Randy Bush (Sep 24)
- Re: update Spencer Gaw (Sep 24)
- Re: update Brandon Whaley (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update Michael Thomas (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update Alain Hebert (Sep 24)
- Re: update Valdis . Kletnieks (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update Daniel Jackson (Sep 24)
- Re: update Chris Adams (Sep 24)
- Re: update Jimmy Hess (Sep 24)
- Re: update William Herrin (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update William Herrin (Sep 24)