Re: [Linux-users] Bash Haiku...
yeah ,but you’d have to say it’s got a nicer ring to it than heartbleed… On 25/09/2014, at 5:48 pm, Douglas Royds douglas.ro...@taitradio.com wrote: Oh no, it has a click-bait name already: Shellshock On 25 September 2014 17:00, Steve Holdoway st...@greengecko.co.nz wrote: So bash is shellshocked hey you apache users get it patched right now Unfortunately those devs who think they can make sites production ready through dashboards like cPanel and Plesk ( not singling them out, just using common ones as examples! ) can easily set stuff up with cgi without knowing. Hardcone nginx / fastcgi junkies on the command line shouldn't really be affected. I just wrote a script to go round and update my clients as the press had put the wind up a few of them. ___ Linux-users mailing list Linux-users@lists.canterbury.ac.nz http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
Re: [Linux-users] Bash Haiku...
On Thu, 2014-09-25 at 21:01 +1200, Chris Hellyar wrote: Have you every had a server hand-grenades by cron-apt/yum-cron?I got bitten a few years ago using a home-brew auto-apt update which installed a breaking regression and have used a cron job that apt-get update apt-get -s upgrade mailx instead now… Cheers, Chris H. Yes, I have. Percona ( my standard build throws larrys MySQL out in preference to this ) is not very good with it's repo scripts... in fact with the latest update I have to manually update the repo definition for it to find the source at all for CentOS 6. They have a nasty habit of not restarting the rdbms after update. Monitoring software lets me know sharpish though! Nothing worse than that, and for those who don't want higher levels of maintenance this is ( my perception of ) the lowest risk for them. Maybe I should revert to the standard distro version, but upping to version 5.6 has so much going for it. Steve -- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa ___ Linux-users mailing list Linux-users@lists.canterbury.ac.nz http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
[Linux-users] Bash Haiku...
Thinking topical, It consumed most of the day as a precaution An exploit is found Bash, CGI scripting flaw new patches employed If you host on line your version of bash do check The repos refreshed Fin. :-) For those who have no idea what I'm on about: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ There are some great headlines doing the rounds.. This one takes the cake I think: http://www.wired.com/2014/09/internet-braces-crazy-shellshock-worm/ (What worm? Wired should know better!) http://www.nbcnews.com/tech/security/new-bash-bug-could-pose-bigger-threat-heartbleed-n211006 http://www.smh.com.au/it-pro/security-it/shell-shock-bash-bug-labelled-largest-ever-to-hit-the-internet-20140925-10ltx1.html Great stuff... Considering the major attack vector would be bash CGI scripts which anyone with a brain stopped using about 10 years ago I'm picking someone got a bit excited and then the other news media got hold of it. Anyway, Debian and RH have both updated their repos... Illuminos, SmartOS and Solaris appear not to be caught up in it due to compile-time options for bash, and no-one who's got any sense uses OS X to host something on the public Internet anyway. I think that covers 99% of the *ix hosting these days? On 25/09/14 16:01, Chris Hellyar wrote: On servers remote in Datacenters, lights out. Debian Makes sense. On Desktops deployed Surfing the great unknown Ubuntu's at home. For uptime you care five nines the contract denotes roll out Solaris. The data is large complex structures, indexes worse informix knows best as tight as a drum in security it shines lock down, BSD Slow day. On 25/09/14 13:42, Derek Smithies wrote: Hi, but it is so true for all who just want to do you go ubuntu Derek. On 25/09/14 13:37, Douglas Royds wrote: Old duffers maintain that Debian is the source, the One True Distro On 24 September 2014 22:21, Chris Hellyar ch...@trash.co.nz wrote: Back to Debian for stability I crave farewell, Ubuntu. (made the shift with my last rebuild, happy camper now..) On 24/09/2014, at 9:55 pm, Nick Rout nick.r...@gmail.com wrote: On Wed, Sep 24, 2014 at 7:40 PM, David Lowe da...@thistledown.co.nz wrote: On 24/09/2014 6:06 pm, Nick Rout nick.r...@gmail.com wrote: ___ Linux-users mailing list Linux-users@lists.canterbury.ac.nz http://lists.canterbury.ac.nz/mailman/listinfo/linux-users ___ Linux-users mailing list Linux-users@lists.canterbury.ac.nz http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
Re: [Linux-users] Bash Haiku...
So bash is shellshocked hey you apache users get it patched right now Unfortunately those devs who think they can make sites production ready through dashboards like cPanel and Plesk ( not singling them out, just using common ones as examples! ) can easily set stuff up with cgi without knowing. Hardcone nginx / fastcgi junkies on the command line shouldn't really be affected. I just wrote a script to go round and update my clients as the press had put the wind up a few of them. TBH for the hands-off ones I install yum-cron / cron-apt so it would have been fixed by tomorrow automagically anyway... Steve On Thu, 2014-09-25 at 16:39 +1200, Chris Hellyar wrote: Thinking topical, It consumed most of the day as a precaution An exploit is found Bash, CGI scripting flaw new patches employed If you host on line your version of bash do check The repos refreshed Fin. :-) For those who have no idea what I'm on about: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ There are some great headlines doing the rounds.. This one takes the cake I think: http://www.wired.com/2014/09/internet-braces-crazy-shellshock-worm/ (What worm? Wired should know better!) http://www.nbcnews.com/tech/security/new-bash-bug-could-pose-bigger-threat-heartbleed-n211006 http://www.smh.com.au/it-pro/security-it/shell-shock-bash-bug-labelled-largest-ever-to-hit-the-internet-20140925-10ltx1.html Great stuff... Considering the major attack vector would be bash CGI scripts which anyone with a brain stopped using about 10 years ago I'm picking someone got a bit excited and then the other news media got hold of it. Anyway, Debian and RH have both updated their repos... Illuminos, SmartOS and Solaris appear not to be caught up in it due to compile-time options for bash, and no-one who's got any sense uses OS X to host something on the public Internet anyway. I think that covers 99% of the *ix hosting these days? On 25/09/14 16:01, Chris Hellyar wrote: On servers remote in Datacenters, lights out. Debian Makes sense. On Desktops deployed Surfing the great unknown Ubuntu's at home. For uptime you care five nines the contract denotes roll out Solaris. The data is large complex structures, indexes worse informix knows best as tight as a drum in security it shines lock down, BSD Slow day. On 25/09/14 13:42, Derek Smithies wrote: Hi, but it is so true for all who just want to do you go ubuntu Derek. On 25/09/14 13:37, Douglas Royds wrote: Old duffers maintain that Debian is the source, the One True Distro On 24 September 2014 22:21, Chris Hellyar ch...@trash.co.nz wrote: Back to Debian for stability I crave farewell, Ubuntu. (made the shift with my last rebuild, happy camper now..) On 24/09/2014, at 9:55 pm, Nick Rout nick.r...@gmail.com wrote: On Wed, Sep 24, 2014 at 7:40 PM, David Lowe da...@thistledown.co.nz wrote: On 24/09/2014 6:06 pm, Nick Rout nick.r...@gmail.com wrote: ___ Linux-users mailing list Linux-users@lists.canterbury.ac.nz http://lists.canterbury.ac.nz/mailman/listinfo/linux-users ___ Linux-users mailing list Linux-users@lists.canterbury.ac.nz http://lists.canterbury.ac.nz/mailman/listinfo/linux-users -- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa ___ Linux-users mailing list Linux-users@lists.canterbury.ac.nz http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
Re: [Linux-users] Bash Haiku...
Oh no, it has a click-bait name already: Shellshock On 25 September 2014 17:00, Steve Holdoway st...@greengecko.co.nz wrote: So bash is shellshocked hey you apache users get it patched right now Unfortunately those devs who think they can make sites production ready through dashboards like cPanel and Plesk ( not singling them out, just using common ones as examples! ) can easily set stuff up with cgi without knowing. Hardcone nginx / fastcgi junkies on the command line shouldn't really be affected. I just wrote a script to go round and update my clients as the press had put the wind up a few of them. TBH for the hands-off ones I install yum-cron / cron-apt so it would have been fixed by tomorrow automagically anyway... Steve On Thu, 2014-09-25 at 16:39 +1200, Chris Hellyar wrote: Thinking topical, It consumed most of the day as a precaution An exploit is found Bash, CGI scripting flaw new patches employed If you host on line your version of bash do check The repos refreshed Fin. :-) For those who have no idea what I'm on about: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ There are some great headlines doing the rounds.. This one takes the cake I think: http://www.wired.com/2014/09/internet-braces-crazy-shellshock-worm/ (What worm? Wired should know better!) http://www.nbcnews.com/tech/security/new-bash-bug-could-pose-bigger-threat-heartbleed-n211006 http://www.smh.com.au/it-pro/security-it/shell-shock-bash-bug-labelled-largest-ever-to-hit-the-internet-20140925-10ltx1.html Great stuff... Considering the major attack vector would be bash CGI scripts which anyone with a brain stopped using about 10 years ago I'm picking someone got a bit excited and then the other news media got hold of it. Anyway, Debian and RH have both updated their repos... Illuminos, SmartOS and Solaris appear not to be caught up in it due to compile-time options for bash, and no-one who's got any sense uses OS X to host something on the public Internet anyway. I think that covers 99% of the *ix hosting these days? On 25/09/14 16:01, Chris Hellyar wrote: On servers remote in Datacenters, lights out. Debian Makes sense. On Desktops deployed Surfing the great unknown Ubuntu's at home. For uptime you care five nines the contract denotes roll out Solaris. The data is large complex structures, indexes worse informix knows best as tight as a drum in security it shines lock down, BSD Slow day. On 25/09/14 13:42, Derek Smithies wrote: Hi, but it is so true for all who just want to do you go ubuntu Derek. On 25/09/14 13:37, Douglas Royds wrote: Old duffers maintain that Debian is the source, the One True Distro On 24 September 2014 22:21, Chris Hellyar ch...@trash.co.nz wrote: Back to Debian for stability I crave farewell, Ubuntu. (made the shift with my last rebuild, happy camper now..) On 24/09/2014, at 9:55 pm, Nick Rout nick.r...@gmail.com wrote: On Wed, Sep 24, 2014 at 7:40 PM, David Lowe da...@thistledown.co.nz wrote: On 24/09/2014 6:06 pm, Nick Rout nick.r...@gmail.com wrote: ___ Linux-users mailing list Linux-users@lists.canterbury.ac.nz http://lists.canterbury.ac.nz/mailman/listinfo/linux-users ___ Linux-users mailing list Linux-users@lists.canterbury.ac.nz http://lists.canterbury.ac.nz/mailman/listinfo/linux-users -- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa ___ Linux-users mailing list Linux-users@lists.canterbury.ac.nz http://lists.canterbury.ac.nz/mailman/listinfo/linux-users -- -- This email, including any attachments, is only for the intended recipient. It is subject to copyright, is confidential and may be the subject of legal or other privilege, none of which is waived or lost by reason of this transmission. If you are not an intended recipient, you may not use, disseminate, distribute or reproduce such email, any attachments, or any part thereof. If you have received a message in error, please notify the sender immediately and erase all copies of the message and any attachments. Unfortunately, we cannot warrant that the email has not been altered or corrupted during transmission nor can we guarantee that any email or any attachments are free from computer viruses or other conditions which may damage or interfere with recipient data, hardware or software. The recipient relies upon its own procedures and assumes all risk of use and of opening any attachments. -- ___ Linux-users mailing list Linux-users@lists.canterbury.ac.nz http://lists.canterbury.ac.nz/mailman/listinfo/linux-users