Re: bash 4.3.27 available [Was: bash "Shell Shock" vulnerability]

On 2/10/2014 8:42 AM, Sam Varghese wrote:
Fixes for older versions of OS X are available here:
http://tenfourfox.blogspot.com.au/2014/09/bashing-bash-one-more-time-updated...
Partial fixes..... IT IS NOT FIXED. This is so disappointing, how bad is Apple, almost as pathetic as other major vendors such as Cisco and Juniper doing "emergency" patches at long last. Cheers A.

Hi, On Thu, Oct 2, 2014 at 8:47 AM, Andrew McGlashan < andrew.mcglashan@affinityvision.com.au> wrote:
On 2/10/2014 8:42 AM, Sam Varghese wrote:
Fixes for older versions of OS X are available here:
http://tenfourfox.blogspot.com.au/2014/09/bashing-bash-one-more-time-updated...
Partial fixes..... IT IS NOT FIXED. This is so disappointing, how bad is Apple, almost as pathetic as other major vendors such as Cisco and Juniper doing "emergency" patches at long last.
Frankly, I think all vendors have been caught out by this, especially over the latest 2 CVEs (6277 and 6278): - Red Hats response on 6278 is a little ambiguous IMHO: From: https://access.redhat.com/security/cve/CVE-2014-6278 “Red Hat believes that changes introduced via updates RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312 that prevent Bash from defining new functions based on arbitrary environment variables sufficiently mitigate this issue. This statement will be updated once more details are available.” - NetApp and VMware are both exposed in small ways on some products but fixes are not available as yet. - Cisco have some work to do as well: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-s... TBH I am surprised at the pervasive use of GNU bash. BW

On 2/10/2014 6:15 PM, Brent Wallis wrote:
Frankly, I think all vendors have been caught out by this, especially over the latest 2 CVEs (6277 and 6278):
- Red Hats response on 6278 is a little ambiguous IMHO:
From: https://access.redhat.com/security/cve/CVE-2014-6278
“Red Hat believes that changes introduced via updates RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312 that prevent Bash from defining new functions based on arbitrary environment variables sufficiently mitigate this issue. This statement will be updated once more details are available.”
I keep checking regularly [much more than normal at this time] for updates, I'm not convinced that we are done yet, even on Linux (Debian in my case).
- NetApp and VMware are both exposed in small ways on some products but fixes are not available as yet.
Not good.
- Cisco have some work to do as well: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-s...
They seem to have a great many products to deal with, but again, they are a huge company, they should have the resources to deal with this in a much more timely manner.
TBH I am surprised at the pervasive use of GNU bash.
Yes. A.
participants (2)
-
Andrew McGlashan
-
Brent Wallis