27 Sept 14 – Shellshock, the Bash Bug, affects us all

Home Forums The Poll Discussion 27 Sept 14 – Shellshock, the Bash Bug, affects us all

This topic contains 5 replies, has 3 voices, and was last updated by Christian Christian 3 years, 1 month ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #2771
    Nick Francesco
    Nick Francesco
    Keymaster

    Ridiculously easy to exploit, and bash is on most of the computers that run the Internet!

    #2772
    Christian
    Christian
    Participant

    https://access.redhat.com/articles/1200223

    I finished patching earlier today.

    #2773
    Nick Francesco
    Nick Francesco
    Keymaster

    I might not hurt to check again; there have been at least three bash updates since Wednesday.

    #2776
    Christian
    Christian
    Participant

    From the link, here’s a script to check your copy of BASH.

    env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

    If the output of the above command contains a line containing only the word vulnerable you are using a vulnerable version of Bash.

    #2787

    HotDawg
    Participant

    I have several computers that run Linux, and bash is the shell program that I prefer. All these computers were showing that they were vulnerable.

    One of those, which internet users don’t have access to anything that would let them try bash scripts, run Ubuntu. The last update from Ubuntu included a fix for bash, and it now checks out clean.

    A couple other computers run the latest Slackware Linux distributions. They are showing as also being vulnerable, but I have a security update for bash that just came out, and I am assuming that will fix the problem there. Again, at this point in time, users out on the internet do not have access to these computers.

    Another computer runs a very old version of Slackware — the bash on it has a timestamp back in 2000. It also is showing it as being vulnerable. I don’t believe there are any updates available for it, and I guess maybe it is time to consider updating that old thing. But, it just keeps on ticking away! I do have some users that can log into that computer, but I guess I have to trust my friends as being my friends, and not trying to screw things up for me too much. I had considered swapping in one of the other shell programs for bash — but they all lack features that bash has.

    So, I guess I’m sort of worried, but depend upon the bad guys not being able to get to the computers that are vulnerable.

    #2788
    Christian
    Christian
    Participant

    It’s important to note that this vulnerability requires being able to set a shell variable, so we’re really only talking about webservers running traditional CGI applications which isn’t very common. Most servers use mod_perl, mod_php, etc. instead of CGI, and if you’re just running a Linux desktop computer, it shouldn’t affect you at all.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

Comments are closed.