Fred Stluka on 26 Sep 2014 06:31:07 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security

Anyone have a good idea of how serious a concern this is, from
a practical point of view?

I've read lots of the recent articles about what the exploit could
theoretically do, but not so much about the likelihood that a
server using newer technologies is actually vulnerable.

As I understand it, the risk is only if someone can cause an
arbitrary environment variable to be set and then run a bash
script.  For example, someone already logged in to the server,
or someone accessing it via a CGI script at its Web server.

I may be safe because:
- There are only 3 users with logins and they are trusted
- There is no remote (ssh) root login, only the 3 users.
- There are no CGI scripts run by the Apache Web server
- There is no telnet access
- There is no FTP access
- There is no SMTP access
- There is Apache WSGI access to a Python/Django app
- Apache runs as user "apache", not "root"

Do I really need to worry about this, and scramble to patch
it like I did for Heartbleed?  Or just continue to apply future
security patches as usual, as they come along?

Fred Stluka -- --
Bristle Software, Inc -- -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.
On 9/26/14 8:08 AM, Chris Grabowy wrote:

Not sure if everyone is aware of this…

As if consumers weren’t already suffering from breach fatigue: Experts warn that attackers are exploiting a critical, newly-disclosed security vulnerability present countless networks and Web sites that rely on Unix and Linux operating systems. Experts say the flaw, dubbed "Shellshock," is so intertwined with the modern Internet that it could prove challenging to fix, and in the short run is likely to put millions of networks and countless consumer records at risk of compromise.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --