Bash Vulnerability

MickZA said:
Fedora 20 was patched in the latest batch of updates.
Click to expand...

Haven't seen that trickle through yet...
[root@rmb-svy1-w2 ~]# yum check-update
Loaded plugins: blacklist, fastestmirror, langpacks, refresh-packagekit
Loading mirror speeds from cached hostfile
[root@rmb-svy1-w2 ~]# logout
[svy@rmb-svy1-w2 ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
 
Sinbad said:
Haven't seen that trickle through yet...
[root@rmb-svy1-w2 ~]# yum check-update
Loaded plugins: blacklist, fastestmirror, langpacks, refresh-packagekit
Loading mirror speeds from cached hostfile
[root@rmb-svy1-w2 ~]# logout
[svy@rmb-svy1-w2 ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
Click to expand...
There was a kernel update as well
Code: 
[mick@mick1 ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
[mick@mick1 ~]$ uname -r
3.16.3-200.fc20.x86_64
 
Hmm. What URL are you using for repos? I'm not getting that update
 
Sinbad said:
Hmm. What URL are you using for repos? I'm not getting that update
Click to expand...
Code: 
Loading mirror speeds from cached hostfile
 * fedora: ftp.sun.ac.za
 * rpmfusion-free: mirror.wbs.co.za
 * rpmfusion-free-updates: mirror.wbs.co.za
 * rpmfusion-nonfree: mirror.wbs.co.za
 * rpmfusion-nonfree-updates: mirror.wbs.co.za
 * updates: mirror.anl.gov
 
And the most fascinating part about this vulnerability is the comment from a snr sysadmin at a prominent local hosting company: "No need to patch, none of our VPS are running CGIs".
 
MagicDude4Eva said:
One you don't want to host with - escalated to their executives and now seems to be sorted out (along with also applying the heartbleed patch)
Click to expand...
I still want to know who it is, to make sure I don't host with them. If you don't want to put it here publicly, could you send it to me via private message?
 
Tinuva said:
I still want to know who it is, to make sure I don't host with them. If you don't want to put it here publicly, could you send it to me via private message?
Click to expand...

I think this was more an attitude problem than anything else. Bit puzzling that they do not know about stuff like that, but they are now implementing some CAB security process. Not going to PM names as they are fixing it.
 
MagicDude4Eva said:
I think this was more an attitude problem than anything else. Bit puzzling that they do not know about stuff like that, but they are now implementing some CAB security process. Not going to PM names as they are fixing it.
Click to expand...
Even more reason to know who.

Fact of the matter is, its far more difficult to fix a sysadmin attitude problem, than it is to get one without that problem to fix security holes. In my books, having someone with the correct attitude goes much further than having a know it all sysadmin.

I read about the bug on Wednesday evening already before going to bed. Sent a mail to all our sysadmins. Before I got in to work on Thursday morning 90% of the systems was already patched and updated, with a select few non-customer facing ones left to do.
 
Tinuva said:
Even more reason to know who.

Fact of the matter is, its far more difficult to fix a sysadmin attitude problem, than it is to get one without that problem to fix security holes. In my books, having someone with the correct attitude goes much further than having a know it all sysadmin.

I read about the bug on Wednesday evening already before going to bed. Sent a mail to all our sysadmins. Before I got in to work on Thursday morning 90% of the systems was already patched and updated, with a select few non-customer facing ones left to do.
Click to expand...

well it's the same guys who have zero problem hosting open SMTP relays - so there. 'nuff said. (then again, there are also some really big ISPs allowing relays and some have half their ASNs reputation poisoned by that)
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X