Anyone use bash?

Here's a useful explanation of what it's all about, including links to the related advisories and so forth: Troy Hunt: Everything you need to know about the Shellshock Bash bug

FWIW, they've woken up since then and say they are sorting things out

Mind you, it shows that companies shouldn't treat Twitter just as a place to respond to things people say about/ask them: they ought to be using it to find out about important stuff they need to deal with, too.

It's an issue with cgi not bash, bash is just executing the commands.

Red Hat seem to have patched it up pretty quickly for RHEL, not sure if Centos/Fedora will get it downstream, HP have done same for HP-UX, Oracle so far nothing for Solaris, IBM know about it but haven't bothered because we all know you must be daft to install the bash fileset on proper Unix - it's not in the AIX out-of-box experience with good reason.

We have bash on Windows for GPFS under MS SUA, no solution for that yet but might not be needed....

Fun day!

What it does highlight is the real issue with the use of Open Source tools. BASH is maintained under the auspices of the Free Software Foundation, in practice there is one guy who is responsible for it. His name is Chet Ramey and he works on it on a volunteer basis along side his real job at Case Western Reserve University in the US.

The problem is that because the open source model is meant to ensure that code is peer reviewed by the open source community there is a tendency for people to assume that someone else has done the reviewing and that it must be ok because so many people are using it.

This is essentially what happened with Heartbleed. Only two people actually reviewed the code for Open SSL. And they were the guy who wrote it and the guy who managed the repository for it. Everyone else just went "Ooh, cryptography stuff, thats too complicated for me, I'll just assume someone else has looked at it."

When problems like this arise you have no recourse with a supplier or developer because it's all done on a voluntary basis and you use it at your own risk. Caveat Emptor.

I'm not saying Open Source stuff is bad per se, the Open Source community has produced some of the best software around, but it does mean you need to do your own due diligence on the code you are going to use before you use it, and many large organisations (and small ones ) overlook this and treat it as regular commercial software.

Only if you have CGI enabled, I think.

If you are using Perl, Python, PHP you should be OK (well unless any of those are invoked via bash)

If only people used Windows, it never had any security issues......

It is BASH. The issue is that BASH will accept command input from other sources when it shouldn't. There are legitimate reasons why you would want CGI (Or SSH, Or Telnet or a number of other sources ) scripts to pass stuff to BASH for execution, the problem is that this can be exploited to get BASH to do stuff that you wouldn't normally be able to do, including running privilege escalation exploits.

WHS. It's where I got this nugget

Oh, and this:

Happy Thursday