[kwlug-disc] Vulnerability in bash
Andrew Kohlsmith (mailing lists account)
aklists at mixdown.ca
Thu Sep 25 17:49:06 EDT 2014
On Sep 25, 2014, at 5:24 PM, Hubert Chathi <hubert at uhoreg.ca> wrote:
> For the bash bug, the only way for it to be remotely exploitable is if
> you are running a server that executes programs using bash in response
> to remote requests. For example (probably the most common), if your web
> server executes a cgi script using bash. But if you do not allow cgi
> scripts (e.g. if you are only using PHP, via mod_php), then you should
> be safe. Or if your web server only executes cgi scripts using dash
> (which is the default /bin/sh on recent Debian and Ubuntu) instead of
> bash, then you should be safe.
>
> Am I the only one who is more concerned about the NSS vulnerability?
No, you’re not. This bash bug is being blown WAY out of proportion.
It’s only remotely exploitable if you’re a) executing shell scripts with bash in response to network requests or b) accepting logins from system users you don’t trust. Most systems aren’t either one of these and, as you mentioned, it’s only an issue if you’re executing them with bash.
It’s a bug, and one that needs to be fixed for sure, but is it worth all this drama? Hardly.
-A.
More information about the kwlug-disc
mailing list