[174663] in North American Network Operators' Group
Re: update
daemon@ATHENA.MIT.EDU (Jim Popovitch)
Wed Sep 24 18:27:10 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <CAPf5k+6L5JiHoK8ctW0YkwYhzTVV489201fQ7Vcv822SLO7y=A@mail.gmail.com>
Date: Wed, 24 Sep 2014 18:27:03 -0400
From: Jim Popovitch <jimpop@gmail.com>
To: Brandon Whaley <redkrieg@gmail.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg@gmail.com> wrote:
> The scope of the issue isn't limited to SSH, that's just a popular
> example people are using. Any program calling bash could potentially
> be vulnerable.
Agreed. My point was that bash is not all that popular on
debian/ubuntu for accounts that would be running public facing
services that would be processing user defined input (www-data,
cgi-bin, list, irc, lp, mail, etc). Sure some non-privileged user
could host their own cgi script on >:1024, but that's not really a
critical "stop the presses!!" upgrade issue, imho.
-Jim P.
