A further update has been released by RedHat in the last few hours.
WHM/cPanel based webservers that I manage which check for updates at
around 4am did not get the latest update, but it was available when I
checked manually this morning. As the default update checking time is
between midnight and 5am this could mean there are a lot of UK based web
servers that won't get the latest update until tonight, unless the
owners manually check them.
On 25/09/2014 18:27, Terry Coles wrote:
On Thursday 25 Sep 2014 16:58:31 Ralph Corderoy wrote:
There must be millions of similar devices out there, eg TVs, routers,
network storage, fridges even. Whose going to sort them out?
The machine has to be running bash; lots of smaller devices run a
lighter shell, e.g. dash, or Busybox. And to be vulnerable, there has
to be a means of passing environment variables to bash, e.g. a CGI
script implemented in bash where the HTTP request can contain values
that the web server passes in the environment. Another alternative is
an SSH server that lets you log in, but forces you to run a particular
command, e.g. rsync for backups. The original command you requested is
passed on by the SSH server to bash, your login shell, in the
environment.
I've seen no indication that just because a machine runs bash then it's
vulnerable. http://www.bbc.co.uk/news/technology-29361794 in particular
is full of exaggeration by unnamed "security experts".
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ is better.
I must admit; I was reading the BBC!
Having said that; the Stora is a fairly accessible device, which allows remote
logins to play media from almost any device connected to the internet, so I
guess it might be running bash.
I'm on leave tomorrow, so I'll try to find out. There used to be an OpenStora
website which helped people to gain do lots of stuff that the Axentra web
interface didn't, but I see that the domain has expired so maybe I'll have to
wing it a bit. I still have the instructions for getting in using SSH, so at
least I can see if bash is installed.
--
*Paul Stenning*
S&P Technology
Box 170, 89 Commercial Road, Bournemouth, BH2 5RR
p...@sp-tech.co.uk <mailto:p...@sp-tech.co.uk>
www.sp-tech.co.uk <http://www.sp-tech.co.uk>
/Before printing, please consider the environment./
*Confidentiality*
This email and its attachments (if any) are intended for the above named
only and may be confidential. If they have come to you in error you must
take no action based on them, nor must you copy or show them to anyone;
please reply to this email and highlight the error, then delete them
from your computer immediately.
*Security Warning*
Please note that this email has been created in the knowledge that email
is not a 100% secure communications medium. We advise that you
understand and observe this lack of security when emailing us.
*Viruses*
Although we have taken steps to ensure that this email and attachments
are free from any virus, we advise that in keeping with good computing
practice the recipient should ensure they are virus free.
--
Next meeting: Bournemouth, Tuesday, 2014-10-07 20:00
Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/
New thread on mailing list: mailto:dorset@mailman.lug.org.uk
How to Report Bugs Effectively: http://goo.gl/4Xue
