[LAU] [OT] Bash (shell) security issues

[david]

On 10/24/2014 02:35 AM, Brett McCoy wrote:
> On Fri, Oct 24, 2014 at 8:23 AM, F. Silvain <silvain at freeshell.de
> <mailto:silvain at freeshell.de>> wrote:
>
>     Hey hey everyone,
>     I hreard, that the Bash (Bourne Again shell) had a vital security
>     issue, that was only fixed very recently. So if you rely on Bash
>     better update. I _THINK_ the problem was only fixed last week or so.
>     Let your friends know! :)
>
>     Don't ask me about specifics, I just got the info and passed it
>     along, since it sounded like good advice.
>
>
> I think you are talking about this:
>
> http://seclists.org/oss-sec/2014/q3/650
>
> It first came to light about a month ago or so. It's primarily a concern
> on public servers, with old fashioned CGI scripts being the primary
> vector. I imagine (and hope) most distros have released updates to
> address this by now.

Ubuntu and Debian have. Although when I tested on my Debian Sid set up 
(without any updates), it didn't have the issue. Apparently a number of 
distros use dash instead of bash, symlinking a "bash" to the dash 
executable.

-- 
David W. Jones
gnome at hawaii.rr.com
authenticity, honesty, community
http://dancingtreefrog.com