Linux vulnerability(bashdoor) found, some Beagle bones may be affected.

[Alan Federman]

My BBB with 14.04 newly installed (Two weeks ago) had the vulnerability.  Fortunately, a system update/upgrade will fix.

While this probably doesn't apply to most of us, there is a recent security issue in Linux systems (Mid September) It is called 'Bashdoor' Bash Bug or 'Shellshock'

From the CLI on your system you can test with:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

ubuntu@arm:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable                                                                                                           <  bad
this is a test

To fix Ubuntu:

apt-get update && apt-get upgrade

After and update, the system was still vulnerable. After upgrade it was OK.

This is probably only an issue if you are running a server like Apache on your bone.

[William Hermans]

This is why it is important that users who are concerned with security should monitor sites like "Threatpost". This vulnerability has been made public as of a coupe weeks ago, but has said to have been in Linux for the last 10+ ( 20 ? ) years.

Also as an aside, apt-get update only pulls in the update lists, so wont fix *anything* until after apt-get upgrade is run. See the man pages for further explanation of what each APT command does.

--
For more options, visit http://beagleboard.org/discuss
---
You received this message because you are subscribed to the Google Groups "BeagleBoard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to beagleboard...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Tomáš Franke]

This Bash bug can be abused when running the web server with CGI scripts, only.


Dne 7.10.2014 20:33, Alan Federman napsal(a):

--

For more options, visit http://beagleboard.org/discuss
---
You received this message because you are subscribed to the Google Groups "BeagleBoard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to beagleboard...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Zpráva neobsahuje viry.
Zkontrolováno AVG - www.avg.cz
Verze: 2015.0.5315 / Virová báze: 4176/8340 - Datum vydání: 7.10.2014

[c...@isbd.net]

Tomáš Franke <tom...@volny.cz> wrote:
> [-- text/plain, encoding quoted-printable, charset: UTF-8, 52 lines --]

>
> This Bash bug can be abused when running the web server with CGI
> scripts, only.
>

... and even then only if:-

The web server is internet facing (unless you have enemies on your
LAN of course!)

The web server's CGI scripts use bash, they often use other shells
or even don't use a shell at all.

There is of course a vulnerability on *any* port open to the internet
where there is a possibility of running somethng which uses bash.

Presumably also the vulnerability is fixed in Ubuntu and Debian if you
simply do an 'apt-get update' and an 'apt-get upgrade'. It was fixed
on my desktop Linux system (Ubuntu) within 24 hours of the bug being
reported.

--
Chris Green
·

[Przemek Klosowski]

On Wed, Oct 8, 2014 at 4:29 AM, <c...@isbd.net> wrote:

Tomáš Franke <tom...@volny.cz> wrote:
> [-- text/plain, encoding quoted-printable, charset: UTF-8, 52 lines --]
>
> This Bash bug can be abused when running the web server with CGI
> scripts, only.

 

Not quite--see below

>
... and even then only if:-

    The web server is internet facing (unless you have enemies on your
    LAN of course!)

That's true---it's not vulnerable if you can't reach it

    The web server's CGI scripts use bash, they often use other shells
    or even don't use a shell at all.

 

Apparently there is a problem because bash is used to process environment variables derived from HTTP header fields for any URL:  http://blog.cloudflare.com/inside-shellshock/

That's why it's such a big deal around the Internet.