Agreed, for most users this is likely a non-issue. However, I don't think the media hype is purely hype. This is a widespread very serious problem for a really large number of web servers, probably more serious than heartbleed.
The dhcp issue is potentially exploitable, but much more difficult and less risky in practice because that's an internal function and the exploiter would have to bind his server to a privileged port meaning you are already owned. (or has been pointed out perhaps more risky if somebody could do something clever to a home access point/dhcp-server and the client machines were running Unix derivative with exploitable client. This seems somewhat esoteric.) The ssh issue seems mostly relegated to very particular circumstances with keys and different usernames (somewhat uncommon) There are undoutably several other moderate to low risk scenarios. On Fri, Sep 26, 2014 at 4:46 PM, Edward Ned Harvey (lopser) < [email protected]> wrote: > > From: Doug Hughes [mailto:[email protected]] > > > > All that is needed is to change the HTTP request headers which are > required > > by spec to be converted into environment variables. If the CGI in > question is > > bash > > Thank you for that - indeed I did not know. But the conclusion in my eyes > hasn't changed - I am certainly *still* in favor of patching every internet > facing server as soon as patches are available (or sooner, depending on > what services it makes available and what other security layers it is > using). > > But the original question was about patching the bash bug for > non-technical mac users. Can we generally agree that user's laptops don't > need a rushed patch, unless the user has enabled services which are > essentially making the user's laptop act as a server rather than a typical > laptop? Because we don't know what apple's updater will do when it sees a > bash binary that it doesn't recognize, I still think it's best to wait for > apple to release their update (unless you happen to have an internet facing > apple server, or some other high-risk individual). >
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
