Bash vulnerability and solution

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bash vulnerability and solution

The Mac OS X Server Mailing List mailing list
Hello,
I just thought to post this as this is working for me :-)
http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html
cheers
Matthias


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Bash vulnerability and solution

The Mac OS X Server Mailing List mailing list
Thanks for that.




On 28 Sep 2014, at 8:27 pm, OS X Server Mail List <[hidden email]> wrote:

> Hello,
> I just thought to post this as this is working for me :-)
> http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html
> cheers
> Matthias
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macos-x-server mailing list      ([hidden email])
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/macos-x-server/elusiv3%40me.com
>
> This email sent to [hidden email]



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Bash vulnerability and solution

The Mac OS X Server Mailing List mailing list
In reply to this post by The Mac OS X Server Mailing List mailing list
Thanks a lot Matthias!

--
Regards,
../Hanx
Sent from my iPhonie5..

> On 28 Sep, 2014, at 18:27, OS X Server Mail List <[hidden email]> wrote:
>
> Hello,
> I just thought to post this as this is working for me :-)
> http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html
> cheers
> Matthias
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macos-x-server mailing list      ([hidden email])
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/macos-x-server/hanx%40mac.com
>
> This email sent to [hidden email]


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Bash vulnerability and solution

The Mac OS X Server Mailing List mailing list
In reply to this post by The Mac OS X Server Mailing List mailing list

On 28 Sep 2014, at 11:27am, OS X Server Mail List <[hidden email]> wrote:

> Hello,
> I just thought to post this as this is working for me :-)
> http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html

While Matthias' post will be important for some readers of this list I'm going to save some of you some unnecessary hassle.

You don't need to worry about patching this unless you have a web server running CGI scripts which do certain things.  You don't even need it if you have CGI scripts enabled: you actually need to have at least one which actually runs.  Or you need to have enabled the PHP ability to execute shell commands (off by default) and have a badly written PHP file which doesn't vet its parameters.  An OS X Server which runs the pre-installed Apache and PHP with the default configuration isn't subject to this vulnerability.

You will also be reading about a situation where the shellshock vulnerability interacts with DHCP service to allow a DHCP server to run arbitrary shell commands on any computer using its DHCP service.  Your Mac clients are immune to this one since they handle DHCP client IP configuration using a .plist rather than by running a bash shell script.

The above is not to say that all Macs are completely immune to shellshock.  It's possible that you are a power-user with an unusual setup, or that something else like the DHCP-related vulnerability will be discovered.  However, with what we know now, unless you have changed default configuration and installed your own scripts, you probably don't need to worry about a patch.

Simon.



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]