Today's Bash bug could break security for years


Recommended Posts

Linux users got a nasty surprise today, as a security team at Red Hat uncovered a subtle but dangerous bug in the Bash shell, one of the most versatile and widely used utilities in Linux. It's being called the Bash bug, or Shellshock. When accessed properly, the bug allows for an attacker's code to be executed as soon as the shell is invoked, leaving the door open for a wide variety of attacks. Worse yet, it appears the bug has been present in enterprise Linux software for a long time, so patching every instance may be easier said than done. Red Hat and Fedora have already released patches for the bug. The bug also affects OS X, and while the company has yet to release an official fix, this Stack Exchange post contains details on how Mac users can check for the vulnerability and patch it once identified.

 

More...

http://www.theverge.com/2014/9/24/6840697/worse-than-heartbleed-todays-bash-bug-could-be-breaking-security-for

Link to comment
Share on other sites

Updated my servers, note that they issued another CVE for this (CVE-2014-7169) as apparently the fix being pushed by some distros doesn't fix it entirely and is still exploitable.  *Sigh* 22 f'ing years, that's got to be a record.  Plus it's apparently exploitable via Apache too, with the large number of servers that still hasn't even patched HeartBleed yet (IE, some never update), that's scary.  Doesn't affect me personally,  keep that functionality disabled, but I'd be worried about routers that have a Bash shell built in even more, those things, with few exceptions, will probably never get updated.

Link to comment
Share on other sites

What about the bash that is included with msys / portablegit etc on windows?
 
Git-1.9.4-preview20140815 (latest, portable) seems to include some updates to OpenSSH and OpenSSL last month.

Link to comment
Share on other sites

What about the bash that is included with msys / portablegit etc on windows?

 

Git-1.9.4-preview20140815 (latest, portable) seems to include some updates to OpenSSH and OpenSSL last month.

 

it's affected as well i assume since the last update for msysgit is from a week ago or something.

Link to comment
Share on other sites

This topic is now closed to further replies.