Customer sent me email asking about ShellShock/bash bug vulnerability.
rut roh!
The first post I see says Fedora/Red Hat put up fixes.
So much for not updating systems for years and years...
Howard
--
--
You received this message because you are subscribed to the Google Groups
NLUG group.
Meh, already patched.
On Sep 25, 2014 9:14 AM, Howard White hwh...@vcch.com wrote:
Customer sent me email asking about ShellShock/bash bug vulnerability. rut
roh!
The first post I see says Fedora/Red Hat put up fixes.
So much for not updating systems for years and years...
Howard
--
--
On Thu, Sep 25, 2014 at 09:17:23AM -0500, Holland Griffis wrote:
Meh, already patched.
Sadly, no, it isn't.
The first set of patches addressed only a part of the problem, there is a
subsequent issue, CVE-2014-7169, that remains unpatched by Red Hat or
other distros at this point.
See
How it can be exploited:
http://security.stackexchange.com/questions/68122/what-is-a-specific-example-of-how-the-shellshock-bash-bug-could-be-exploited/68130#68130
Patched all our systems yesterday in a few seconds with Config Management
Tool of Choice (TM).
On Thu, Sep 25, 2014 at 9:17 AM,
Just ran the test in Linux mint 17. Mint passed OK.
Tabo
On Thu, Sep 25, 2014 at 9:22 AM, Tim O'Guin timog...@gmail.com wrote:
How it can be exploited:
http://security.stackexchange.com/questions/68122/what-is-a-specific-example-of-how-the-shellshock-bash-bug-could-be-exploited/68130#68130
With the initial patch not being a complete one, here is how you can test
if you're still vulnerable:
$ env X='() { (a)=\' sh -c echo vulnerable
On Thu, Sep 25, 2014 at 2:26 PM, Paul Tabolinsky paul.t...@gmail.com
wrote:
Just ran the test in Linux mint 17. Mint passed OK.
Tabo
On Thu, Sep
There is an update for Command Line Tools in the App Store for OS X, FYI.
On Thu, Sep 25, 2014 at 2:58 PM, Bruce W. Martin marti...@gmail.com wrote:
I am a bit confused about this bug. What is the vector to exploit this? If
I turn off the web server daemon is the only vector then from those
Is it fumble fingers or bad auto correct? I actually shut down the debian
server.
Bruce
On Sep 25, 2014, at 2:58 PM, Bruce W. Martin marti...@gmail.com wrote:
I am a bit confused about this bug. What is the vector to exploit this? If I
turn off the web server daemon is the only vector then
On Thu, Sep 25, 2014 at 02:58:51PM -0500, Bruce W. Martin wrote:
I am a bit confused about this bug. What is the vector to exploit
this? If I turn off the web server daemon is the only vector then from
those who can log in with appropriate credentials? I have an old RHEL
server that no longer
On Thu, Sep 25, 2014 at 03:15:20PM -0500, Bruce W. Martin wrote:
Is it fumble fingers or bad auto correct? I actually shut down the debian
server.
I'm going with freudian slip.
John
--
Basic research is when I am doing what
In case you haven't seen them yet, here is documentation of the exploits
seen so far in the wild:
http://arstechnica.com/security/2014/09/concern-over-bash-vulnerability-grows-as-exploit-reported-in-the-wild/
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
Amber
On Thu, Sep 25, 2014 at 2:58 PM, Bruce W. Martin marti...@gmail.com wrote:
I am a bit confused about this bug. What is the vector to exploit this?
Most web servers pass various bits of information to CGI scripts via
environment variables, such as HTTP_USER_AGENT, HTTP_REFERER, and
others, which
Or was that a Freudian slip, where you accidentally say what you were thinking?
On September 25, 2014 3:15:14 PM Bruce W. Martin marti...@gmail.com wrote:
Is it fumble fingers or bad auto correct? I actually shut down the debian
server.
Bruce
On Sep 25, 2014, at 2:58 PM, Bruce W. Martin
Do we know if this is **strictly** bash or if ZSH is vulnerable as well?
On Thu, Sep 25, 2014 at 5:38 PM, John F. Eldredge j...@jfeldredge.com wrote:
Or was that a Freudian slip, where you accidentally say what you were
thinking?
On September 25, 2014 3:15:14 PM Bruce W. Martin
I just installed the published CentOS 6.5 patch for this and it passes that
test.
On Thu, Sep 25, 2014 at 2:29 PM, Tim O'Guin timog...@gmail.com wrote:
With the initial patch not being a complete one, here is how you can test
if you're still vulnerable:
$ env X='() { (a)=\' sh -c echo
15 matches
Mail list logo