[TriLUG] Fwd: [ NNSquad ] Bug in Bash shell creates big security hole on anything with *nix in it

John Vaughters jvaughters04 at yahoo.com
Thu Sep 25 10:27:24 EDT 2014 

Steve, 

Thanks for the notice. I had the issue on all RH6.x boxes and RH7. Easy fix for those not looking to do their scheduled updates yet may want to just run the 'yum update bash' command, or the proper update comand for your linux type. I have heard that RedHat and Ubuntu have issued fixes. 

Thanks,

John Vaughters


On Wednesday, September 24, 2014 6:37 PM, Steve Holton <sph0lt0n at gmail.com> wrote:
 


Quick summary:

There is an easy test to determine if a Linux or Unix system is vulnerable.
> To check your system, from a command line, type:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> If the system is vulnerable, the output will be:
> vulnerable
>  this is a test
> An unaffected (or patched) system will output:
> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>  bash: warning: x: ignoring function definition attempt
>  bash: error importing function definition for `x'
>  this is a test
> The fix is an update to a patched version of the Bash shell. To be safe,
> administrators should do a blanket update of their versions of Bash in any
> case.



---------- Forwarded message ----------
From: Lauren Weinstein <lauren at vortex.com>
Date: Wed, Sep 24, 2014 at 6:02 PM
Subject: [ NNSquad ] Bug in Bash shell creates big security hole on
anything with *nix in it
To: nnsquad at nnsquad.org



Bug in Bash shell creates big security hole on anything with *nix in it
Could allow attackers to execute code on Linux, Unix, and Mac OS X

(Ars):
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

   "The bug, discovered by Stephane Schazelas, is related to how Bash
    processes environmental variables passed by the operating system or by
    a program calling a Bash-based script. If Bash has been configured as
    the default system shell, it can be used by network-based attackers
    against servers and other Unix and Linux devices via Web requests,
    secure shell, telnet sessions, or other programs that use Bash to
    execute scripts."

- - -

--Lauren--
Lauren Weinstein (lauren at vortex.com): http://www.vortex.com/lauren
Founder:
- Network Neutrality Squad: http://www.nnsquad.org
- PRIVACY Forum: http://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility:
http://www.pfir.org/pfir-info
Member: ACM Committee on Computers and Public Policy
I am a consultant to Google -- I speak only for myself, not for them.
Lauren's Blog: http://lauren.vortex.com
Google+: http://google.com/+LaurenWeinstein
Twitter: http://twitter.com/laurenweinstein
Tel: +1 (818) 225-2800 / Skype: vortex.com
_______________________________________________
nnsquad mailing list
http://lists.nnsquad.org/mailman/listinfo/nnsquad



-- 
Steve Holton
sph0lt0n at gmail.com
-- 
This message was sent to: John Vaughters <jvaughters04 at yahoo.com>
To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
Unsubscribe or edit options on the web    : http://www.trilug.org/mailman/options/trilug/jvaughters04%40yahoo.com
Welcome to TriLUG: http://trilug.org/welcome

More information about the TriLUG mailing list