# BASH users : read this



## blobster21 (Sep 25, 2014)

> A vulnerability related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script has been recently discovered.
> 
> The vulnerability affects versions 1.14 through 4.3 of GNU Bash. Patches have been issued by many of the major Linux distribution vendors for affected versions, including:
> 
> ...



source : arstechnica

Update your repositories and you should see an updated bash release available. I did it for my debian boxes and raspberry pi, everything is ok now.


----------



## awesomesauce (Sep 25, 2014)

here is another news and some detail about bash

http://www.theverge.com/2014/9/25/6843669/bash-shellshock-network-worm-could-cause-internet-meltdown


----------



## Guitar (Sep 25, 2014)

Updated all my servers at work. Thanks.


----------



## yogurt_21 (Sep 25, 2014)

got ours updated today. Love the fact that this exploit has basically existed for 25 years...


----------



## Ferrum Master (Sep 25, 2014)

Serious issue...


----------



## blobster21 (Sep 26, 2014)

Update:  It's still unclear to me if you're safe once you have upgraded your version to 4.2+dfsg-0.1+deb7u1 commited yesterday....

In fact, an updated version has been re-rolled :

Unless you have either 4.1-3+deb6u2, 4.2+dfsg-0.1+deb7u3 or 4.3-9.1, you're potentially still exposed.

And just to make things clear : the vulnerability has the potential to create a privilege escalation on your system (severity level of 10, only with a much more difficult exploitability level of 10)

Sources : security tracker @ debian.org & MEPIS


----------



## johnspack (Sep 26, 2014)

Could this affect BusyBox users under Android?


----------



## blobster21 (Sep 26, 2014)

johnspack said:


> Could this affect BusyBox users under Android?



Fortunately *NO*.

BusyBox uses the Almquist Shell (aka ash) as default system shell, which is not subject to this vulnerability.


----------



## Aquinus (Sep 26, 2014)

Thanks, but I had this patched two days ago. 
There was a discussion in linux security mailing list about this before it went "public". By the time anyone really knew about it, the patch had already been made for BASH and at least Debian had pushed it out already. If you've updated Debian in the last 36 hours, you probably have the patch.

While this is a vulnerability, it's not one if you have a server setup with half-decent security settings because you would need to actually be able to get into bash to do anything in the first place and that first leap in a secure system is hard. Much like heartbleed, most cases this isn't going to be an issue and it certainly isn't now as a patch is already floating around.


----------



## Frick (Sep 29, 2014)

Aquinus said:


> While this is a vulnerability, it's not one if you have a server setup with half-decent security settings because you would need to actually be able to get into bash to do anything in the first place and that first leap in a secure system is hard. Much like heartbleed, most cases this isn't going to be an issue and it certainly isn't now as a patch is already floating around.



http://threatpost.com/bash-exploit-reported-first-round-of-patches-incomplete/108550

http://threatpost.com/patching-bash-vulnerability-a-challenge-for-ics-scada

Those industrial systems are always trouble.


----------

