jimpop at gmail.com
Wed Sep 24 22:27:03 UTC 2014
On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg at gmail.com> wrote:
> The scope of the issue isn't limited to SSH, that's just a popular
> example people are using. Any program calling bash could potentially
> be vulnerable.
Agreed. My point was that bash is not all that popular on
debian/ubuntu for accounts that would be running public facing
services that would be processing user defined input (www-data,
cgi-bin, list, irc, lp, mail, etc). Sure some non-privileged user
could host their own cgi script on >:1024, but that's not really a
critical "stop the presses!!" upgrade issue, imho.
More information about the NANOG