[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
I slightly wonder about the ISP's cable router. Virgin's blue-glowing superhub. I also need to patch an old server that is running Wheezy. Has anyone seen a precompiled bash for Wheezy yet? On 26 September 2014 10:12, Simon Waters <simon@xxxxxxxxxxxxxx> wrote: > As those who read the Redhat bug report on the 24th will know - the > first patch for Bash was incomplete. > > You need to have installed a Bash patch today (or overnight if you are > my Debian boxes) as well. > > 2014-09-25 04:34:58 status installed bash:i386 4.2+dfsg-0.1+deb7u1 > 2014-09-26 04:47:18 status installed bash:i386 4.2+dfsg-0.1+deb7u3 > > u2? Apple probably gave it away? > > Realistically Bash has a manually written parser, this may not be the > the last such issue. > > Switching to a simpler shell for things might be a plausible approach to > reduce risk. Although I haven't established if dash has a manually > written parser. Anyone know? Any recommendations (Bad Apple, Martyn?). > > Also avoid shelling out, particularly from web applications, when you > can exec a program directly, to side step shells entirely. I know I > wrote some 10 lines ENV stuff for Apache in a previous role, although > hopefully it is all "dash" as it is on Debian. > > The second vulnerability might also affect zsh according to one > contributor to the Redhat bug report. > > Patch again, take stock, do things differently going forward. > > So far only exploitable vulnerability we've found in our stuff was the > really expensive proprietary load balancer, and that required you to be > an authenticated user, but that is mostly luck and a lot of Java (which > tends not to do the shelling out, and if it does sticks it behind layers > and layers of code. I suspect also that we've been patching more than > looking. > > I have some cool web testing tools sorted to find if it is exploitable, > but patch and it won't work. > > -- > The Mailing List for the Devon & Cornwall LUG > http://mailman.dclug.org.uk/listinfo/list > FAQ: http://www.dcglug.org.uk/listfaq -- Adrian Midgley http://www.defoam.net/ -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq