Michael Thomas mike at mtcc.com
Wed Sep 24 22:35:40 UTC 2014

On 9/24/14, 3:27 PM, Jim Popovitch wrote:
> On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg at gmail.com> wrote:
>> The scope of the issue isn't limited to SSH, that's just a popular
>> example people are using.  Any program calling bash could potentially
>> be vulnerable.
> Agreed.  My point was that bash is not all that popular on
> debian/ubuntu for accounts that would be running public facing
> services that would be processing user defined input (www-data,
> cgi-bin, list, irc, lp, mail, etc).  Sure some non-privileged user
> could host their own cgi script on >:1024, but that's not really a
> critical "stop the presses!!" upgrade issue, imho.

This is already made it to /. so I'm not sure why Randy was being so 
hush hush...

But my read is that this could affect anything that calls bash to do 
processing, like
handing off to CGI by putting in headers to p0wn the box. Also: bash is 
pervasive though any unix disto, in not at all obvious places, so I 
wouldn't be
complacent about this at all.


More information about the NANOG mailing list