On 9/24/14, 3:27 PM, Jim Popovitch wrote:
On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg@gmail.com> wrote:
The scope of the issue isn't limited to SSH, that's just a popular example people are using. Any program calling bash could potentially be vulnerable. Agreed. My point was that bash is not all that popular on debian/ubuntu for accounts that would be running public facing services that would be processing user defined input (www-data, cgi-bin, list, irc, lp, mail, etc). Sure some non-privileged user could host their own cgi script on >:1024, but that's not really a critical "stop the presses!!" upgrade issue, imho.
This is already made it to /. so I'm not sure why Randy was being so hush hush... But my read is that this could affect anything that calls bash to do processing, like handing off to CGI by putting in headers to p0wn the box. Also: bash is incredibly pervasive though any unix disto, in not at all obvious places, so I wouldn't be complacent about this at all. Mike