Hi Terry, > There must be millions of similar devices out there, eg TVs, routers, > network storage, fridges even. Whose going to sort them out?
The machine has to be running bash; lots of smaller devices run a lighter shell, e.g. dash, or Busybox. And to be vulnerable, there has to be a means of passing environment variables to bash, e.g. a CGI script implemented in bash where the HTTP request can contain values that the web server passes in the environment. Another alternative is an SSH server that lets you log in, but forces you to run a particular command, e.g. rsync for backups. The original command you requested is passed on by the SSH server to bash, your login shell, in the environment. I've seen no indication that just because a machine runs bash then it's vulnerable. http://www.bbc.co.uk/news/technology-29361794 in particular is full of exaggeration by unnamed "security experts". http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ is better. Cheers, Ralph. -- Next meeting: Bournemouth, Tuesday, 2014-10-07 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread on mailing list: mailto:dorset@mailman.lug.org.uk How to Report Bugs Effectively: http://goo.gl/4Xue
