[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Fri, 26 Sep 2014, Adrian Midgley wrote:
I slightly wonder about the ISP's cable router. Virgin's blue-glowing superhub. I also need to patch an old server that is running Wheezy. Has anyone seen a precompiled bash for Wheezy yet?
Wheezy is current and a patch has been released.I have servers running Woody, Sarge, Etch, Lenny as well as Squeeze... Fortunately the older ones are running dedicated well-defined applications that I've checked for vulnerabilities and they're fine.
Gordon
On 26 September 2014 10:12, Simon Waters <simon@xxxxxxxxxxxxxx> wrote:As those who read the Redhat bug report on the 24th will know - the first patch for Bash was incomplete. You need to have installed a Bash patch today (or overnight if you are my Debian boxes) as well. 2014-09-25 04:34:58 status installed bash:i386 4.2+dfsg-0.1+deb7u1 2014-09-26 04:47:18 status installed bash:i386 4.2+dfsg-0.1+deb7u3 u2? Apple probably gave it away? Realistically Bash has a manually written parser, this may not be the the last such issue. Switching to a simpler shell for things might be a plausible approach to reduce risk. Although I haven't established if dash has a manually written parser. Anyone know? Any recommendations (Bad Apple, Martyn?). Also avoid shelling out, particularly from web applications, when you can exec a program directly, to side step shells entirely. I know I wrote some 10 lines ENV stuff for Apache in a previous role, although hopefully it is all "dash" as it is on Debian. The second vulnerability might also affect zsh according to one contributor to the Redhat bug report. Patch again, take stock, do things differently going forward. So far only exploitable vulnerability we've found in our stuff was the really expensive proprietary load balancer, and that required you to be an authenticated user, but that is mostly luck and a lot of Java (which tends not to do the shelling out, and if it does sticks it behind layers and layers of code. I suspect also that we've been patching more than looking. I have some cool web testing tools sorted to find if it is exploitable, but patch and it won't work. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq-- Adrian Midgley http://www.defoam.net/ -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq