D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Bash bug - part 2 - Shellshock - aftershock?

 

On 26/09/14 10:50, Gordon Henderson wrote:
> On Fri, 26 Sep 2014, Adrian Midgley wrote:
> 
>> I slightly wonder about the ISP's cable router.  Virgin's blue-glowing
>> superhub.
>>
>> I also need to patch an old server that is running Wheezy.  Has anyone
>> seen a precompiled bash for Wheezy yet?
> 
> Wheezy is current and a patch has been released.
> 
> I have servers running Woody, Sarge, Etch, Lenny as well as Squeeze...
> Fortunately the older ones are running dedicated well-defined
> applications that I've checked for vulnerabilities and they're fine.

CERT UK advisor mentioned not letting the apache user (www-data) run
"bash" as a mitigation - I assume using an ACL - which seems sensibles
but...

.... horrid, because any bash script that pulls string data from data
bases or stored values is still vulnerable.

No one mention DHCP.... till I'm done working on it.


-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq