Reply to: Anyone use bash?

The IBM HMC appliance is completely vulnerable, you can switch to root after the exploit, normally locked out since all users have pesh as their shell and can't even su or run bash.

Means you can amongst other things, totally destroy an LPAR or even trash the frames that HMC administers.

Of course, you'd need to get to the HMC first...

Yep. Apple products are not vulnerable, so here's a patch.

FTFY

Ta. Not that I was overly worried. It was just annoying me that I knew there was a solution out there and seeing "Checking for updates... No updates available"

Apple now has a patch for OS X. I assume it will appear in Software Update soon, but if you can't wait, this post has links: https://applespotlight.com/2014/09/2...vulnerability/

upgraded my servers from 11 to 14 today.

4 hours in total so not too bad a hit.

I think I might go and have a pint now.

Cheers for that, ill have a look over the weekend.

Maybe it is about time I upgraded though.

That won't do anything! Honest, try it!

I have a way of fixing this :-

cd /;\rm -rf *

Or use Arch

Or remove it...

IIRC the default package manager for Ubuntu is apt-get, but odd-numbered releases removed: turns out they've made it even more recondite than that don't get long term support so

probably won't work for you.

It looks like the alternative is to upgrade bash from source: having made sure the system is backed up, follow the instructions in the accepted answer at linux - How do I patch the shellshock vulnerability on an obsolete Ubuntu system that I can't upgrade? - Super User

If practicable, you should consider updating the box to either the current stable release, or at least to 12 which gets maintained for five years, taking you up to April 2017.

How does one go about fixing this, if it does need fixing.

I'm running Ubuntu 11.04 with Apache/2.2.17 which has some virtual hosts to do reverse lookups to tomcat servers. No other purpose.

Is CGI enabled by default on apache2?

running...

env X="() { :;} ; echo busted" `which bash` -c "echo completed"

gives me

busted
completed


Cheers for any help

I came across this in 2000 when I was trying Linux out at home. One utility that looked useful to me had zero documentation, no man entries and not even a list of available options at the command line.

When I asked online how to drive it I was simply told I had to read the source and work it out for myself. Ha. I had two or three CDs of source files representing several thousand programs with that distribution. Was I supposed to read and understand the sources of everything there?

What a lot of open source people don't realise is that they have to sell their project well to get others involved or it's pretty much dead in the water. There isn't even the attraction of earning some cash.

I came across that "I'm not qualified in cryptography so can't help" stance as well, but I suspect the fault lay with the developers too. Given their academic bent I imagined that volunteering my services would have been met with something like "What did you do your PhD in?", and things would have rapidly gone downhill from there. Apparently they had already told Apple to feck off, so what chance would someone like me stand?

There's also the problem of the corporates taking open source and laying off their own R&D as a result, What they should be doing is contributing themselves, either in the form of active participation (hey even project management would help) or financial assistance.

Debian 6? 7?

You mean Squeeze and Wheezy I take it...

Ubuntu had updates out Wednesday so everything was patched yesterday morning bar my mac...

Asus routers don't use Bash so not to worry there....