On 09/25/2014 08:23 AM, Michael Torrie wrote: > On 09/24/2014 08:33 PM, Ryan Simpkins wrote: >> On Wed, September 24, 2014 19:32, Jeremy Pace wrote: >>> I was a little surprised to not see some posts regarding this vulnerability: >> >> We were all too busy patching systems. All patched now. Thank you SaltStack >> for making my system orchestration problems a distant memory! Responding to >> security events like this with Salt makes for a much nicer day. > > Dumb question, but since I've been living under a rock these last few > weeks and have only had chance to see the headlines, is this > vulnerability remotely exploitable with, say ssh? I've run a few tests > and I'm unable to get the exploit to work remotely unless I get the > login to succeed. Obviously I'm missing something. Can someone help me > out here?
Okay so I read up more and understand how it's a potentially exploitable problem in many environments: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ Surprisingly insightful executive summary: http://linux.slashdot.org/comments.pl?sid=5750159&cid=47987731 Except for the DHCP client vector, none of my public-facing servers are exceptionally vulnerable, so I can breath a bit more easily and just yum update and go back under my rock. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
