[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

update

Subject: update
From: jimpop at gmail.com (Jim Popovitch)
Date: Wed, 24 Sep 2014 18:27:03 -0400
In-reply-to: <CAPf5k+6L5JiHoK8ctW0YkwYhzTVV489201fQ7Vcv822SLO7y=A@mail.gmail.com>
References: <m24mvwq1oz.wl%[email protected]> <CAGfsgR1rkC_mdAQYsbNusegcbAm-zakvxohoqbQw5e_d0TOoUw@mail.gmail.com> <CAPf5k+6L5JiHoK8ctW0YkwYhzTVV489201fQ7Vcv822SLO7y=A@mail.gmail.com>

On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg at gmail.com> wrote:
> The scope of the issue isn't limited to SSH, that's just a popular
> example people are using.  Any program calling bash could potentially
> be vulnerable.

Agreed.  My point was that bash is not all that popular on
debian/ubuntu for accounts that would be running public facing
services that would be processing user defined input (www-data,
cgi-bin, list, irc, lp, mail, etc).  Sure some non-privileged user
could host their own cgi script on >:1024, but that's not really a
critical "stop the presses!!" upgrade issue, imho.

-Jim P.

Follow-Ups:
- update
  - From: mike at mtcc.com (Michael Thomas)

References:
- update
  - From: randy at psg.com (Randy Bush)
- update
  - From: jimpop at gmail.com (Jim Popovitch)
- update
  - From: redkrieg at gmail.com (Brandon Whaley)

Prev by Date: update
Next by Date: update
Previous by thread: update
Next by thread: update
Index(es):
- Date
- Thread