[Tfug] Do we need a new bash?

techlists at phpcoderusa.com techlists at phpcoderusa.com
Fri Sep 26 07:24:03 MST 2014


I'm running Mint 17 KDE.  Can I just run update and the fix will be 
made?

As I read these few comments it occurs to me that if the box is on a 
private IP and behind a router where the the box only has access to 
normal stuff like port 80 and 443 (connections originating from itself) 
the box is relatively safe given there is no external route to this box. 
  Are my assumptions correct?

Thanks!
Keith




On 2014-09-26 07:57, Zack Breckenridge wrote:
>> The worst thing from this will be the > same as heartbleed, every
> non- technical
>  > manager type jumping up and down > that this has to get fixed, even
> to the > point of shutting systems down
>  > until they can get fixed... when the systems are
>  > test/internal systems that can only > be reached by going through
>  > bastion hosts on the internal network...
> 
> So, normally I don't side with non-technical manager types... But if
> you have an *unpatched bash* sitting around (and that includes OS X),
> turning off the machine until you can patch it isn't such a bad idea.
> 
> After patching and reviewing the bug's impact and upgrading for the
> past day and a half, and looking at what traffic others are seeing
> online already... Without going into much detail (and I can if you'd
> like), I will agree that the bug actually *is* this bad.
> 
> I mean, it's hard to qualify untechnical managers' recommendations,
> because they're generally based on news cycles ;) but in this case --
> the news isn't so far off.
> 
> As a colleague and I decided yesterday, we think this bug should be
> explained probabilistically: x% of hosts with an unpatched bash WILL
> be compromised with a probability of 1. No one knows what x is yet,
> and it's likely no one ever will. And also, no one knows what the
> exact path to compromise will look like yet. It will likely differ in
> many cases.
> 
> Zack B.
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org




More information about the tfug mailing list