Don't mean to be alarmist, but I'm posting this in case anyone else is like me and hasn't been paying attention since this news broke (AIUI) about a week ago.

Apparently bash has it's own "heartbleed" now, dubbed "shellshock". Warm fuzzy flashbacks of "TMNT: The Arcade Game" aside, this appears to be pretty nasty *and* it affects pretty much every version of bash ever released. And of course bash exists on practically everything, so...pretty big deal. Security sites, blogs-o'-spheres, cloudosphere, etc are all over this one. (Don't know how I managed to miss it until now.)

Patches have been issued (and likely more to come from what I gather), so:

Go update bash on all your computers and server, NOW. No, don't hit reply, do it now. Personally, I'd keep updating fairly frequently until the whole matter settles down a bit.

Since the security folks have been jumping at this, getting a fixed bash should be trivial. Debian already has patched versions in its repos (even for Debian 6 if you're using the LTS repo). Other distros likely have patched versions now too. So you have no excuse!

More info:
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-vulnerability
https://startpage.com/do/search?query=bash+shellshock

--------------------
HOW TO CHECK/UPDATE:
--------------------

Test for vulnerability like this (supposed to be one line):
$ env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

Update to a fixed bash:

Debian Testing (and probably Deb 7, though I don't have an installation of 7 to confirm):
$ sudo apt-get update && sudo apt-get install bash

Debian 6: (Including setting up the LTS repos):
$ sudo cat 'deb http://http.debian.net/debian squeeze-lts main contrib non-free' >> /etc/apt/sources.list
$ sudo cat 'deb-src http://http.debian.net/debian squeeze-lts main contrib non-free' >> /etc/apt/sources.list
$ sudo apt-get update && sudo apt-get install bash

Other OSes/distros are likely equally easy. Please, reply with examples to help ensure other people on the same OS/distro as you have no excuse not to update!

On 10/01/2014 01:09 AM, Nick Sabalausky wrote:
> Debian 6: (Including setting up the LTS repos):
> $ sudo cat 'deb http://http.debian.net/debian squeeze-lts main contrib
> non-free' >> /etc/apt/sources.list
> $ sudo cat 'deb-src http://http.debian.net/debian squeeze-lts main
> contrib non-free' >> /etc/apt/sources.list
> $ sudo apt-get update && sudo apt-get install bash
>

Pffft, ok, so I'm a little brain-fried. Obviously those first two lines should be:

$ sudo echo 'deb http://http.debian.net/debian squeeze-lts main contrib non-free' >> /etc/apt/sources.list
$ sudo echo 'deb-src http://http.debian.net/debian squeeze-lts main contrib non-free' >> /etc/apt/sources.list

Keep or omit the "non-free" and "contrib" as you wish. Or, you know, just get off of Debian 6 to say, Debian 7 or something ;)

On 1 October 2014 06:09, Nick Sabalausky via Digitalmars-d-announce <digitalmars-d-announce@puremagic.com> wrote:
> Don't mean to be alarmist, but I'm posting this in case anyone else is like me and hasn't been paying attention since this news broke (AIUI) about a week ago.
>
> Apparently bash has it's own "heartbleed" now, dubbed "shellshock". Warm fuzzy flashbacks of "TMNT: The Arcade Game" aside, this appears to be pretty nasty *and* it affects pretty much every version of bash ever released. And of course bash exists on practically everything, so...pretty big deal. Security sites, blogs-o'-spheres, cloudosphere, etc are all over this one. (Don't know how I managed to miss it until now.)
>
> Patches have been issued (and likely more to come from what I gather), so:
>
> Go update bash on all your computers and server, NOW. No, don't hit reply, do it now. Personally, I'd keep updating fairly frequently until the whole matter settles down a bit.
>

At work we do two things:

1) Add our main email to the Debian Security ML, so we tend to know about any vulnerabilities that need patching at least 24 hours before it hits the media.

2) Use an automated configuration management system, such as Puppet. By the time we read the initial email, the fix had already been applied to all servers without manual intervention. ;)

Of course, merely updating your packages is not enough to keep you safe.  You must also consider which front-end facing applications are using the now patched software, and restart it.

grep libvulnerable /proc/*/maps | grep deleted


Iain

On 10/1/14 1:09 AM, Nick Sabalausky wrote:
> Patches have been issued (and likely more to come from what I gather), so:

FWIW, MacOS X now has an update for bash that fixes the bug, apparently came out last night.

http://support.apple.com/kb/HT6495

-Steve

On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote:
>
> Other OSes/distros are likely equally easy. Please, reply with examples to help ensure other people on the same OS/distro as you have no excuse not to update!

I find it ironic that it's another "big global" security hole about which Windows users don't even have to be concerned about.

On Wednesday, 1 October 2014 at 13:41:43 UTC, JN wrote:
> On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote:

> I find it ironic that it's another "big global" security hole about which Windows users don't even have to be concerned about.

That's of course very true, since Windows runs on no serious servers.

On Wednesday, 1 October 2014 at 13:58:25 UTC, eles wrote:
> On Wednesday, 1 October 2014 at 13:41:43 UTC, JN wrote:
>> On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote:
>
>> I find it ironic that it's another "big global" security hole about which Windows users don't even have to be concerned about.
>
> That's of course very true, since Windows runs on no serious servers.

You would be surprised how some Fortune 500 companies are doing their serious work in 100% Windows servers.

Sadly I need to comply with NDAs.

--
Paulo

On Wednesday, 1 October 2014 at 14:29:16 UTC, Paulo  Pinto wrote:
> You would be surprised how some Fortune 500 companies are doing their serious work in 100% Windows servers.
>
> Sadly I need to comply with NDAs.

Isn't NASDAQ enough?

On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote:
> Apparently bash has it's own "heartbleed" now, dubbed "shellshock".

Does it affect dash?
Also, how does one update software on linux? Last I checked, when new version is out, repository of the previous version becomes utterly abandoned. A pity, on windows one can roll new software versions as long as they are maintained.

On 10/1/14 10:44 AM, Kagamin wrote:
> On Wednesday, 1 October 2014 at 05:09:45 UTC, Nick Sabalausky wrote:
>> Apparently bash has it's own "heartbleed" now, dubbed "shellshock".
>
> Does it affect dash?

I don't know, but I think it doesn't. There are tests you can use to check if your shell is vulnerable, google can tell you :)

> Also, how does one update software on linux? Last I checked, when new
> version is out, repository of the previous version becomes utterly
> abandoned. A pity, on windows one can roll new software versions as long
> as they are maintained.

Generally, you use the package manager, but it is very dependent on what distribution you are using. For example, in Ubuntu or Linux Mint, the UI alerts you to updates, and it's as simple as clicking a button.

I think the "utterly abandoned" claim is highly dubious.

-Steve