[GLLUG] Bash Bug
Peter Cannon
peter at cannon-linux.co.uk
Fri Sep 26 08:18:25 UTC 2014
On 25/09/14 23:26, Karanbir Singh wrote:
> On 09/25/2014 10:44 PM, Alain Williams wrote:
>> On Thu, Sep 25, 2014 at 10:38:32PM +0100, Alain Williams wrote:
>>> ....
>>
>> FYI: something referenced from the SElinux mail list:
>>
>> https://danwalsh.livejournal.com/71122.html
>>
>
> this is a great post on how SELinux can help overall in situations like
> this as well.
>
> the other thing that is important to note here is that there is -lots-
> of software out there that uses system() calls to do things, every one
> of those is potentially at risk here; nagios / gitweb etc are just a tip
> of the iceberg. There is plenty of desktop / app grade software that
> does this as well.
>
> So, although I agree that bash for cgi-scripts is just completely
> whacked out, in many cases the issue is being inherited from other code,
> that does the system shell out.
>
> btw, sky hd+ box's running linux... also exploiteable.
>
Thank Fortuna for the Bourne Again Shell vulnerability! Open Source news
was on its arse before you came along. :-)
--
Regards
Peter Cannon
IRC: dick_turpin @ freenode.net
https://twitter.com/dick_turpin
http://www.cannon-linux.co.uk
https://plus.google.com/100694334141523232451/posts
Podcast: http://tdtrs.co.uk
"Be who you are and say what you feel because those who mind don't
matter and those who matter don't mind."
More information about the GLLUG
mailing list