Diff for "BashFAQ/111"

Differences between revisions 3 and 10 (spanning 7 versions)

What is the Shellshock vulnerability in Bash?

As of this writing (September 27th, 2014), the situation with Shellshock is changing so rapidly that you're probably better off using your preferred search engine instead of this FAQ. For example, you could search a news site for recent items which contain the word "Shellshock".

A quick summary is this:

The most recent updates should now fix all known Shellshock-related vulnerabilities.
Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway.
Other potential problems were identified during the investigation, but are considered separate from the Shellshock bug.

After things stabilize a bit, this FAQ page should be updated with a better summary. For information about specific vulnerabilities related to Shellshock, you may find better results by searching for terms such as "CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", or "CVE-2014-7187".

In the meantime, here are a few links that should help you get started:

CategoryShell

-  ⇤ ← Revision 3 as of 2014-09-26 02:32:48 → 
  Size: 1978
  Editor: WillDye
  Comment: Added more external links about Shellshock/CVE-2014-6271
+   ← Revision 10 as of 2014-09-27 20:32:52 → ⇥
  Size: 3333
  Editor: WillDye
  Comment: Add another link
-Deletions are marked like this.
+Additions are marked like this.
 Line 4:
-As of this writing (September 25th, 2014),
+As of this writing (September 27th, 2014),
 Line 10:
-recent items which contain the words "Shellshock" and/or "CVE-2014-6271".
+recent items which contain the word "Shellshock".

A quick summary is this:
 * The most recent updates should now fix all known Shellshock-related vulnerabilities.
 * Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway.
 * Other potential problems were identified during the investigation, but are considered separate from the Shellshock bug.
-Line 13:
+Line 18:
-this FAQ page should be updated with a handy summary.
+this FAQ page should be updated with a better summary.
For information about specific vulnerabilities related to Shellshock,
you may find better results by searching for terms such as
"CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", or "CVE-2014-7187".
-Line 17:
+Line 26:
+ * [[http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/|ZDNet: the latest patches do fix all known Shellshock issues]]
-Line 18:
+Line 28:
- * [[https://www.google.com/webhp?tbm=nws#q=CVE-2014-6271&tbm=nws|Search Google News for 'CVE-2014-6271' (no need to limit time range)]]
+ * [[http://en.wikipedia.org/wiki/Shellshock_(software_bug)|Wikipedia article on Shellshock]]
 * [[https://shellshocker.net/|"shellshocker.net", and online tool for testing if a system is vulnerable]]
 * [[https://access.redhat.com/articles/1200223|Summary article from RedHat on how to determine if a system is vulnerable]]
-Line 20:
+Line 32:
- * [[https://www.us-cert.gov/ncas/alerts/TA14-268A|Official US-CERT page on CVE-2014-6271]]
+ * [[https://www.us-cert.gov/ncas/alerts/TA14-268A|Official US-CERT page on CVE-2014-6271, the first vulnerability in the series to be discovered]]
-Line 23:
+Line 35:
- * [[https://www.youtube.com/watch?v=aKShnpOXqn0|4-minute introductory video for non-programmers]]
+ * [[https://www.youtube.com/v/aKShnpOXqn0&autoplay=0|4-minute introductory video for non-programmers]]
-Line 26:
+Line 38:
  * [[http://blog.xeonbd.com/2014/09/every-mac-vulnerable-shellshock-bash-exploit-heres-patch-os-x/|Patch instructions for OSX]]
-Line 29:
+Line 41:
+ * [[https://www.google.com/webhp?tbm=nws#q=CVE-2014-6271&tbm=nws|Search Google News for 'CVE-2014-6271']]
 * [[https://www.google.com/webhp?tbm=nws#q=CVE-2014-7169&tbm=nws|Search Google News for 'CVE-2014-7169']]
 * [[https://www.google.com/webhp?tbm=nws#q=CVE-2014-7186&tbm=nws|Search Google News for 'CVE-2014-7186']]
 * [[https://www.google.com/webhp?tbm=nws#q=CVE-2014-7187&tbm=nws|Search Google News for 'CVE-2014-7187']]