[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

update

Subject: update
From: mike at mtcc.com (Michael Thomas)
Date: Wed, 24 Sep 2014 15:35:40 -0700
In-reply-to: <CAGfsgR1a5brii8HyXvbYXfsWefi8ZXCg31XL5jxG_tc-PUUCrQ@mail.gmail.com>
References: <m24mvwq1oz.wl%[email protected]> <CAGfsgR1rkC_mdAQYsbNusegcbAm-zakvxohoqbQw5e_d0TOoUw@mail.gmail.com> <CAPf5k+6L5JiHoK8ctW0YkwYhzTVV489201fQ7Vcv822SLO7y=A@mail.gmail.com> <CAGfsgR1a5brii8HyXvbYXfsWefi8ZXCg31XL5jxG_tc-PUUCrQ@mail.gmail.com>

On 9/24/14, 3:27 PM, Jim Popovitch wrote:
> On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg at gmail.com> wrote:
>> The scope of the issue isn't limited to SSH, that's just a popular
>> example people are using.  Any program calling bash could potentially
>> be vulnerable.
> Agreed.  My point was that bash is not all that popular on
> debian/ubuntu for accounts that would be running public facing
> services that would be processing user defined input (www-data,
> cgi-bin, list, irc, lp, mail, etc).  Sure some non-privileged user
> could host their own cgi script on >:1024, but that's not really a
> critical "stop the presses!!" upgrade issue, imho.
>
>

This is already made it to /. so I'm not sure why Randy was being so 
hush hush...

But my read is that this could affect anything that calls bash to do 
processing, like
handing off to CGI by putting in headers to p0wn the box. Also: bash is 
incredibly
pervasive though any unix disto, in not at all obvious places, so I 
wouldn't be
complacent about this at all.

Mike

Follow-Ups:
- update
  - From: jimpop at gmail.com (Jim Popovitch)

References:
- update
  - From: randy at psg.com (Randy Bush)
- update
  - From: jimpop at gmail.com (Jim Popovitch)
- update
  - From: redkrieg at gmail.com (Brandon Whaley)
- update
  - From: jimpop at gmail.com (Jim Popovitch)

Prev by Date: update
Next by Date: update
Previous by thread: update
Next by thread: update
Index(es):
- Date
- Thread