Here's a useful explanation of what it's all about, including links to the related advisories and so forth: Troy Hunt: Everything you need to know about the Shellshock Bash bug
- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Anyone use bash?
Collapse
X
-
-
-
Originally posted by jmo21 View Post
Mind you, it shows that companies shouldn't treat Twitter just as a place to respond to things people say about/ask them: they ought to be using it to find out about important stuff they need to deal with, too.Comment
-
-
Red Hat seem to have patched it up pretty quickly for RHEL, not sure if Centos/Fedora will get it downstream, HP have done same for HP-UX, Oracle so far nothing for Solaris, IBM know about it but haven't bothered because we all know you must be daft to install the bash fileset on proper Unix - it's not in the AIX out-of-box experience with good reason.
We have bash on Windows for GPFS under MS SUA, no solution for that yet but might not be needed....
Fun day!Comment
-
What it does highlight is the real issue with the use of Open Source tools. BASH is maintained under the auspices of the Free Software Foundation, in practice there is one guy who is responsible for it. His name is Chet Ramey and he works on it on a volunteer basis along side his real job at Case Western Reserve University in the US.
The problem is that because the open source model is meant to ensure that code is peer reviewed by the open source community there is a tendency for people to assume that someone else has done the reviewing and that it must be ok because so many people are using it.
This is essentially what happened with Heartbleed. Only two people actually reviewed the code for Open SSL. And they were the guy who wrote it and the guy who managed the repository for it. Everyone else just went "Ooh, cryptography stuff, thats too complicated for me, I'll just assume someone else has looked at it."
When problems like this arise you have no recourse with a supplier or developer because it's all done on a voluntary basis and you use it at your own risk. Caveat Emptor.
I'm not saying Open Source stuff is bad per se, the Open Source community has produced some of the best software around, but it does mean you need to do your own due diligence on the code you are going to use before you use it, and many large organisations (and small ones ) overlook this and treat it as regular commercial software."Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.Comment
-
Originally posted by stek View PostThe exploit allows you to access the webserver remotely via bash....
If you are using Perl, Python, PHP you should be OK (well unless any of those are invoked via bash)Behold the warranty -- the bold print giveth and the fine print taketh away.Comment
-
Originally posted by DaveB View PostWhat it does highlight is the real issue with the use of Open Source tools. BASH is maintained under the auspices of the Free Software Foundation, in practice there is one guy who is responsible for it. His name is Chet Ramey and he works on it on a volunteer basis along side his real job at Case Western Reserve University in the US.
The problem is that because the open source model is meant to ensure that code is peer reviewed by the open source community there is a tendency for people to assume that someone else has done the reviewing and that it must be ok because so many people are using it.
This is essentially what happened with Heartbleed. Only two people actually reviewed the code for Open SSL. And they were the guy who wrote it and the guy who managed the repository for it. Everyone else just went "Ooh, cryptography stuff, thats too complicated for me, I'll just assume someone else has looked at it."
When problems like this arise you have no recourse with a supplier or developer because it's all done on a voluntary basis and you use it at your own risk. Caveat Emptor.
I'm not saying Open Source stuff is bad per se, the Open Source community has produced some of the best software around, but it does mean you need to do your own due diligence on the code you are going to use before you use it, and many large organisations (and small ones ) overlook this and treat it as regular commercial software.Comment
-
Originally posted by Unix View PostIt's an issue with cgi not bash, bash is just executing the commands."Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.Comment
-
Originally posted by NickFitz View PostMind you, it shows that companies shouldn't treat Twitter just as a place to respond to things people say about/ask them: they ought to be using it to find out about important stuff they need to deal with, too.
Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.
Happy ThursdayLast edited by Sysman; 25 September 2014, 20:31.Behold the warranty -- the bold print giveth and the fine print taketh away.Comment
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Comment