[Nottingham] Free Software Foundation statement on the GNU Bash "shellshock" vulnerability

david at gbenet.com david at gbenet.com
Fri Sep 26 09:36:21 UTC 2014


Free Software Foundation


    Free Software Foundation statement on the GNU Bash "shellshock" vulnerability

/This post can be viewed online at
https://fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability./

A major security vulnerability has been discovered in the free software shell GNU Bash. The
most serious issues have already been fixed, and a complete fix is well underway. GNU/Linux
distributions are working quickly to release updated packages for their users. All Bash
users should upgrade immediately, and audit the list of remote network services running on
their systems.

Bash is the GNU Project's <https://www.gnu.org> shell; it is part of the suite of software
that makes up the GNU operating system. The GNU programs plus the kernel Linux form a
commonly used complete free software <https://www.gnu.org/philosophy/free-sw> operating
system, called GNU/Linux. The bug, which is being referred to as "shellshock," can allow, in
some circumstances, attackers to remotely access and control systems using Bash (and
programs that call Bash) as an attack vector, regardless of what kernel they are running.
The bug probably affects many GNU/Linux users, along with those using Bash on proprietary
operating systems like Apple's OS X and Microsoft Windows. Additional technical details
about the issue can be found at CVE-2014-6271
<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271> and CVE-2014-7169
<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>.

GNU Bash <https://www.gnu.org/software/bash/> has been widely adopted because it is a free
(as in freedom), reliable, and featureful shell. This popularity means the serious bug that
was published yesterday is just as widespread. Fortunately, GNU Bash's license, the GNU
General Public License version 3 <https://www.gnu.org/licenses/gpl>, has facilitated a rapid
response. It allowed Red Hat
<https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
to develop and share patches in conjunction with Bash upstream developers efforts to fix the
bug, which anyone can download and apply themselves. Everyone using Bash has the freedom to
download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary
software.

Software freedom is a precondition for secure computing; it guarantees everyone the ability
to examine the code to detect vulnerabilities, and to create new and safe versions if a
vulnerability is discovered. Your software freedom does not guarantee bug-free code, and
neither does proprietary software: bugs happen no matter how the software is licensed. But
when a bug is discovered in free software, everyone has the permission, rights, and source
code to expose and fix the problem. That fix can then be immediately freely distributed to
everyone who needs it. Thus, these freedoms <https://www.gnu.org/philosophy/free-sw> are
crucial for ethical, secure computing.

Proprietary, (aka nonfree) software relies on an unjust development model that denies users
the basic freedom to control their computers. When software's code is kept hidden, it is
vulnerable not only to bugs that go undetected, but to the easier deliberate addition and
maintenance of malicious features <https://gnu.org/philosophy/proprietary>. Companies can
use the obscurity of their code to hide serious problems, and it has been documented that
Microsoft provides intelligence agencies with information about security vulnerabilities
before fixing them
<http://www.computerworlduk.com/blogs/open-enterprise/how-can-any-company-ever-trust-microsoft-again-3569376/>.

Free software cannot guarantee your security, and in certain situations may appear less
secure on specific vectors than some proprietary programs. As was widely agreed in the
aftermath of the OpenSSL "Heartbleed" bug, the solution is not to trade one security bug for
the very deep insecurity inherently created by proprietary software -- the solution is to
put energy and resources into auditing and improving free programs.

Development of Bash, and GNU in general, is almost exclusively a volunteer effort, and you
can contribute <https://www.gnu.org/software/bash/>. We are reviewing Bash development, to
see if increased funding can help prevent future problems. If you or your organization use
Bash and are potentially interested in supporting its development, please contact us
<https://brains.fsf.org/wiki/campaigns/blogs/libby/shellshock-statement/donate@fsf.org>.

The patches to fix this issue can be obtained directly at http://ftp.gnu.org/gnu/bash/.

 


      Media Contacts

John Sullivan
Executive Director
Free Software Foundation
+1 (617) 542 5942
campaigns at fsf.org <mailto:campaigns at fsf.org>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xAAD8C47D.asc
Type: application/pgp-keys
Size: 4295 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20140926/8f00001d/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20140926/8f00001d/attachment.pgp>


More information about the Nottingham mailing list