|
Size: 1095
Comment: Shellshock is a big enough event to merit a new FAQ number
|
Size: 3333
Comment: Add another link
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 4: | Line 4: |
| As of this writing (September 25th, 2014), | As of this writing (September 27th, 2014), |
| Line 12: | Line 12: |
| A quick summary is this: * The most recent updates should now fix all known Shellshock-related vulnerabilities. * Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway. * Other potential problems were identified during the investigation, but are considered separate from the Shellshock bug. |
|
| Line 13: | Line 18: |
| this FAQ page should be updated with a handy summary. | this FAQ page should be updated with a better summary. For information about specific vulnerabilities related to Shellshock, you may find better results by searching for terms such as "CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", or "CVE-2014-7187". |
| Line 15: | Line 24: |
| here are a few links that might help you get started: | here are a few links that should help you get started: |
| Line 17: | Line 26: |
| * [[https://www.google.com/search?q=shellshock+bash&tbs=qdr:d|A search of Google News for 'Shellshock']] | * [[http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/|ZDNet: the latest patches do fix all known Shellshock issues]] * [[https://www.google.com/webhp?tbs=qdr:d#q=shellshock+bash&tbs=qdr:d&tbm=nws|Search Google News for 'Shellshock bash', limited to the last 24 hours]] * [[http://en.wikipedia.org/wiki/Shellshock_(software_bug)|Wikipedia article on Shellshock]] * [[https://shellshocker.net/|"shellshocker.net", and online tool for testing if a system is vulnerable]] * [[https://access.redhat.com/articles/1200223|Summary article from RedHat on how to determine if a system is vulnerable]] |
| Line 19: | Line 32: |
| * [[http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html|A report by Troy Hunt]] | * [[https://www.us-cert.gov/ncas/alerts/TA14-268A|Official US-CERT page on CVE-2014-6271, the first vulnerability in the series to be discovered]] * [[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271|NIST page on CVE-2014-6271]] * [[https://access.redhat.com/articles/1200223|RedHat's "knowledge base" article]] * [[https://www.youtube.com/v/aKShnpOXqn0&autoplay=0|4-minute introductory video for non-programmers]] * [[https://news.ycombinator.com/item?id=8361574|Conversation thread on Y-Combinator]] * [[http://www.reddit.com/r/programming/comments/2hc1w3/cve20146271_remote_code_execution_through_bash/|Conversation thread on Reddit]] |
| Line 21: | Line 39: |
| * [[http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021/|Early ZDNet report on Shellshock]] | * [[http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html|"Everything you need to know about the Shellshock Bash bug", by Troy Hunt]] * [[http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021/|Early report by Steven J. Vaughan-Nichols of ZDNet]] * [[https://www.google.com/webhp?tbm=nws#q=CVE-2014-6271&tbm=nws|Search Google News for 'CVE-2014-6271']] * [[https://www.google.com/webhp?tbm=nws#q=CVE-2014-7169&tbm=nws|Search Google News for 'CVE-2014-7169']] * [[https://www.google.com/webhp?tbm=nws#q=CVE-2014-7186&tbm=nws|Search Google News for 'CVE-2014-7186']] * [[https://www.google.com/webhp?tbm=nws#q=CVE-2014-7187&tbm=nws|Search Google News for 'CVE-2014-7187']] |
What is the Shellshock vulnerability in Bash?
As of this writing (September 27th, 2014), the situation with Shellshock is changing so rapidly that you're probably better off using your preferred search engine instead of this FAQ. For example, you could search a news site for recent items which contain the word "Shellshock".
A quick summary is this:
- The most recent updates should now fix all known Shellshock-related vulnerabilities.
- Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway.
- Other potential problems were identified during the investigation, but are considered separate from the Shellshock bug.
After things stabilize a bit, this FAQ page should be updated with a better summary. For information about specific vulnerabilities related to Shellshock, you may find better results by searching for terms such as "CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", or "CVE-2014-7187".
In the meantime, here are a few links that should help you get started:
ZDNet: the latest patches do fix all known Shellshock issues
Search Google News for 'Shellshock bash', limited to the last 24 hours
"shellshocker.net", and online tool for testing if a system is vulnerable
Summary article from RedHat on how to determine if a system is vulnerable
Official US-CERT page on CVE-2014-6271, the first vulnerability in the series to be discovered
"Everything you need to know about the Shellshock Bash bug", by Troy Hunt