On Fri, Sep 30, 2016 at 06:19:17PM +0000, ng0 wrote: > > On Fri, Sep 30, 2016 at 05:47:35PM +0000, ng0 wrote: > >> https://vms.drweb.com/virus/?_is=1&i=8598428 > >> > >> As far as I see it, Guix as GuixSD and systems with just Guix but with > >> software/files which is coming from Guix assumed by this trojan to exist in > >> 'normal' locations should not be able to get infected, > >> is this observation correct? I did not feel like this is a case which > >> should go to the -security list, as it's a general question.
I'd like <[email protected]> to be used for bugs that must be reported privately. This choice is up to the bug reporter. If a bug is already known publicly, we should discuss it openly on guix-devel. > softpedia quotes: > Dr.Web security researchers, the ones who have discovered this threat, > say the trojan seems to infect Linux machines via the Shellshock > vulnerability, still unpatched in a large number of devices. If the attack vector is the Bash Shellshock bug (CVE-2014-6271), then we should be safe. As far as I can tell, we patched our Bash package against that vulnerability with "gnu: bash: Apply patch series up to 25 [CVE-2014-6271]." (c1fe82d5866b). Is there something else we need to worry about here?
