[Nottingham] Free Software Foundation statement on the GNU Bash "shellshock" vulnerability

Paul reclusivegeek at yahoo.co.uk
Fri Sep 26 09:56:47 UTC 2014


The problem not only effects bash but can also be exploited on apache, 
python etc. Check out the Red Hat security blog 
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/



On 26/09/14 10:36, david at gbenet.com wrote:
> Free Software Foundation
>
>
>      Free Software Foundation statement on the GNU Bash "shellshock" vulnerability
>
> /This post can be viewed online at
> https://fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability./
>
> A major security vulnerability has been discovered in the free software shell GNU Bash. The
> most serious issues have already been fixed, and a complete fix is well underway. GNU/Linux
> distributions are working quickly to release updated packages for their users. All Bash
> users should upgrade immediately, and audit the list of remote network services running on
> their systems.
>
> Bash is the GNU Project's <https://www.gnu.org> shell; it is part of the suite of software
> that makes up the GNU operating system. The GNU programs plus the kernel Linux form a
> commonly used complete free software <https://www.gnu.org/philosophy/free-sw> operating
> system, called GNU/Linux. The bug, which is being referred to as "shellshock," can allow, in
> some circumstances, attackers to remotely access and control systems using Bash (and
> programs that call Bash) as an attack vector, regardless of what kernel they are running.
> The bug probably affects many GNU/Linux users, along with those using Bash on proprietary
> operating systems like Apple's OS X and Microsoft Windows. Additional technical details
> about the issue can be found at CVE-2014-6271
> <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271> and CVE-2014-7169
> <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>.
>
> GNU Bash <https://www.gnu.org/software/bash/> has been widely adopted because it is a free
> (as in freedom), reliable, and featureful shell. This popularity means the serious bug that
> was published yesterday is just as widespread. Fortunately, GNU Bash's license, the GNU
> General Public License version 3 <https://www.gnu.org/licenses/gpl>, has facilitated a rapid
> response. It allowed Red Hat
> <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
> to develop and share patches in conjunction with Bash upstream developers efforts to fix the
> bug, which anyone can download and apply themselves. Everyone using Bash has the freedom to
> download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary
> software.
>
> Software freedom is a precondition for secure computing; it guarantees everyone the ability
> to examine the code to detect vulnerabilities, and to create new and safe versions if a
> vulnerability is discovered. Your software freedom does not guarantee bug-free code, and
> neither does proprietary software: bugs happen no matter how the software is licensed. But
> when a bug is discovered in free software, everyone has the permission, rights, and source
> code to expose and fix the problem. That fix can then be immediately freely distributed to
> everyone who needs it. Thus, these freedoms <https://www.gnu.org/philosophy/free-sw> are
> crucial for ethical, secure computing.
>
> Proprietary, (aka nonfree) software relies on an unjust development model that denies users
> the basic freedom to control their computers. When software's code is kept hidden, it is
> vulnerable not only to bugs that go undetected, but to the easier deliberate addition and
> maintenance of malicious features <https://gnu.org/philosophy/proprietary>. Companies can
> use the obscurity of their code to hide serious problems, and it has been documented that
> Microsoft provides intelligence agencies with information about security vulnerabilities
> before fixing them
> <http://www.computerworlduk.com/blogs/open-enterprise/how-can-any-company-ever-trust-microsoft-again-3569376/>.
>
> Free software cannot guarantee your security, and in certain situations may appear less
> secure on specific vectors than some proprietary programs. As was widely agreed in the
> aftermath of the OpenSSL "Heartbleed" bug, the solution is not to trade one security bug for
> the very deep insecurity inherently created by proprietary software -- the solution is to
> put energy and resources into auditing and improving free programs.
>
> Development of Bash, and GNU in general, is almost exclusively a volunteer effort, and you
> can contribute <https://www.gnu.org/software/bash/>. We are reviewing Bash development, to
> see if increased funding can help prevent future problems. If you or your organization use
> Bash and are potentially interested in supporting its development, please contact us
> <https://brains.fsf.org/wiki/campaigns/blogs/libby/shellshock-statement/donate@fsf.org>.
>
> The patches to fix this issue can be obtained directly at http://ftp.gnu.org/gnu/bash/.
>
>   
>
>
>        Media Contacts
>
> John Sullivan
> Executive Director
> Free Software Foundation
> +1 (617) 542 5942
> campaigns at fsf.org <mailto:campaigns at fsf.org>
>
>
>
>
> _______________________________________________
> Nottingham mailing list
> Nottingham at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/nottingham

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20140926/fd229cea/attachment-0001.html>


More information about the Nottingham mailing list