Linux bash vulnerability

**darmstadt** · 26 September 2014, 15:05

To get really paranoid you want to sign up to here and get their updates: https://www.us-cert.gov/ncas/bulletins

What about this one, loads of people have Acrobat Reader: NVD - Detail

**suityou01** · 26 September 2014, 15:21

Originally posted by darmstadt View Post

To get really paranoid you want to sign up to here and get their updates: https://www.us-cert.gov/ncas/bulletins

What about this one, loads of people have Acrobat Reader: NVD - Detail

I update them
HTH

**Sysman** · 26 September 2014, 15:28

Originally posted by darmstadt View Post

To get really paranoid you want to sign up to here and get their updates: https://www.us-cert.gov/ncas/bulletins

And a scout around a few bug tracker archives to spot stuff that has been ignored can be fruitful

Oops - Bugreport - libVTE scrollback buffer written to disk, affecting gnome-terminal, xfce4-terminal, terminator and more

Originally posted by darmstadt View Post

What about this one, loads of people have Acrobat Reader: NVD - Detail

No Adobe products in use here except Flash tucked away in a VM.

On the fruity front, from Apple's Security alert updates:

APPLE-SA-2014-09-23-1 OS X: Flash Player plug-in blocked

Due to security issues in older versions, Apple has updated the
web plug-in blocking mechanism to disable all versions prior to
Flash Player 15.0.0.152 and 13.0.0.244.

Adobe Flash Player updates available for OS X on September 23, 2014

**suityou01** · 27 September 2014, 12:19

Top regulators warn banks over 'Shellshock' bug as Apple and Oracle prepare patches

A group of top US financial regulators urged banks to quickly fix their software to protect it against the "Shellshock" computer bug, saying it could expose them to fraud.

Oracle warned customers on Friday that more than 30 products are vulnerable to the bug, including its high-end Exadata computer systems.

Oracle said it has only prepared fixes to address the Shellshock vulnerability in two products, the Oracle Linux and Solaris operating systems.

**suityou01** · 27 September 2014, 12:26

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole | Ars Technica

I appreciate the effort made in patch bash43-026, but this patch doesn't even BEGIN to solve the underlying shellshock problem. This patch just continues the "whack-a-mole" job of fixing parsing errors that began with the first patch. Bash's parser is certain have many many many other vulnerabilities; it was never designed to be security-relevant…John Haxby recently posted that "A friend of mine said this could be a vulnerability gift that keeps on giving.” Bash will be a continuous rich source of system vulnerabilities until it STOPS automatically parsing normal environment variables; all other shells just pass them through! I've turned off several websites I control because I have *no* confidence that the current official bash patches actually stop anyone, and I am deliberately *not* buying products online today for the same reason. I suspect others have done the same. I think it's important that bash change its semantics so that it "obviously has absolutely no problems of this kind".

**darmstadt** · 27 September 2014, 12:44

Really a user's problem:

"The use of shells for CGI was discouraged since the mid 90s."

Have a Bomb.Com '90s Bachelorette Bash!

**suityou01** · 27 September 2014, 12:58

Originally posted by darmstadt View Post

Really a user's problem:

Have a Bomb.Com '90s Bachelorette Bash!

And as I and the Rt Hon Nick Fitz have both said, cgi is only one example of an attack vector.

HTH

**darmstadt** · 27 September 2014, 13:05

Originally posted by suityou01 View Post

And as I and the Rt Hon Nick Fitz have both said, cgi is only one example of an attack vector.

HTH

SSH, DHCP and log parsing are all examples that can be exploiteed, in fact anything that can open a bash shell. Whats more interesting is that was discovered n the 12th September but not made official until 24th September. Get your conspiracy theories ready...

(I use tcsh as that is what my OS of choice provides)

**suityou01** · 27 September 2014, 13:08

Originally posted by darmstadt View Post

SSH, DHCP and log parsing are all examples that can be exploiteed, in fact anything that can open a bash shell. Whats more interesting is that was discovered n the 12th September but not made official until 24th September. Get your conspiracy theories ready...

(I use tcsh as that is what my OS of choice provides)

Right to name but a few. So post #86 was just a shameless trolling exercise?

**darmstadt** · 27 September 2014, 13:20

Originally posted by suityou01 View Post

Right to name but a few. So post #86 was just a shameless trolling exercise?

Nope, still a user's problem. You shouldn't allow any application to open a shell and execute commands/scripts/etc from non-trusted sources, but still, approximately 90% of the posts on here are a troll aren't they? I noticed that a second version of Shellshock has come out

Linux bash vulnerability

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Partners

Advertisers

Contractor Services

CUK News

Linux bash vulnerability

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Partners

Advertisers

Contractor Services

CUK News

Tag Cloud