Re: bash 'Shell Shock' vulnerability

From: "Rohan McLeod" <rhn@jeack.com.au>
Any news regarding mobile phones and routers etc ?
I have an older QNAP NAS appliance (used for backup) that is vulnerable as well. The web interface died four weeks ago so it seems to be time to retire it anyway;-) AFAIK Busybox uses ash. That should be okay for some appliances. On an Apple, I wonder what breaks if you point sh and bash to ksh (until the fix comes in) Probably not much. Regards Peter

Peter Ross wrote:
From: "Rohan McLeod" <rhn@jeack.com.au>
Any news regarding mobile phones and routers etc ?
I have an older QNAP NAS appliance (used for backup) that is vulnerable as well.
AFAIK Busybox uses ash. That should be okay for some appliances.
Actually, the QNAP appliances is using BusyBox I realized. So Busyboxes are affected too. At least the one example I have in reach. Regards Peter

On 26/09/2014 5:01 PM, Peter Ross wrote:
From: "Rohan McLeod" <rhn@jeack.com.au>
Any news regarding mobile phones and routers etc ?
I have an older QNAP NAS appliance (used for backup) that is vulnerable as well.
Why not run Debian on it? I used funplug on my old D-Link DNS343 NAS units, one of two out of service now, the other out of service soon -- NOT Internet accessible at all. I've installed Debian Wheezy on Thecus N4800eco units now, these were to replace the D-Link gear.
On an Apple, I wonder what breaks if you point sh and bash to ksh (until the fix comes in) Probably not much.
Apple had another great fail with iOS 8.0.1 -- apparently the same person approved it as for their maps debacle; at least they've got 8.0.2 out now (not that I use any iDevice myself). I don't expect Apple to be quick with a fix, OS X Mavericks is quite old for openssl too, too old for heartbleed. In the past when Apple made themselves responsible for their /own/ Java builds, they were very slow to fix them as well. Suffice to say, I wouldn't count on /perfect/ Apple to fix this bash problem quickly, but I would be happy to be proved wrong. Cheers A.

On 26/09/2014 6:34 PM, Andrew McGlashan wrote:
In the past when Apple made themselves responsible for their /own/ Java builds, they were very slow to fix them as well.
No change to bash from 10.9.4 to 10.9.5, of course that OS X update wasn't expected to update bash. No further updates are available from Apple yet. Cheers A.
participants (2)
-
Andrew McGlashan
-
Peter Ross