[174666] in North American Network Operators' Group
Re: update
daemon@ATHENA.MIT.EDU (Michael Thomas)
Wed Sep 24 18:37:19 2014
X-Original-To: nanog@nanog.org
Date: Wed, 24 Sep 2014 15:35:40 -0700
From: Michael Thomas <mike@mtcc.com>
To: nanog@nanog.org
In-Reply-To: <CAGfsgR1a5brii8HyXvbYXfsWefi8ZXCg31XL5jxG_tc-PUUCrQ@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On 9/24/14, 3:27 PM, Jim Popovitch wrote:
> On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg@gmail.com> wrote:
>> The scope of the issue isn't limited to SSH, that's just a popular
>> example people are using. Any program calling bash could potentially
>> be vulnerable.
> Agreed. My point was that bash is not all that popular on
> debian/ubuntu for accounts that would be running public facing
> services that would be processing user defined input (www-data,
> cgi-bin, list, irc, lp, mail, etc). Sure some non-privileged user
> could host their own cgi script on >:1024, but that's not really a
> critical "stop the presses!!" upgrade issue, imho.
>
>
This is already made it to /. so I'm not sure why Randy was being so
hush hush...
But my read is that this could affect anything that calls bash to do
processing, like
handing off to CGI by putting in headers to p0wn the box. Also: bash is
incredibly
pervasive though any unix disto, in not at all obvious places, so I
wouldn't be
complacent about this at all.
Mike
