> From: Doug Hughes [mailto:d...@will.to] > > All that is needed is to change the HTTP request headers which are required > by spec to be converted into environment variables. If the CGI in question is > bash
Thank you for that - indeed I did not know. But the conclusion in my eyes hasn't changed - I am certainly *still* in favor of patching every internet facing server as soon as patches are available (or sooner, depending on what services it makes available and what other security layers it is using). But the original question was about patching the bash bug for non-technical mac users. Can we generally agree that user's laptops don't need a rushed patch, unless the user has enabled services which are essentially making the user's laptop act as a server rather than a typical laptop? Because we don't know what apple's updater will do when it sees a bash binary that it doesn't recognize, I still think it's best to wait for apple to release their update (unless you happen to have an internet facing apple server, or some other high-risk individual). _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
