[OT Security PSA] Shellshock: Update your bash, now!
Iain Buclaw via Digitalmars-d-announce
digitalmars-d-announce at puremagic.com
Wed Oct 1 00:17:59 PDT 2014
On 1 October 2014 06:09, Nick Sabalausky via Digitalmars-d-announce
<digitalmars-d-announce at puremagic.com> wrote:
> Don't mean to be alarmist, but I'm posting this in case anyone else is like
> me and hasn't been paying attention since this news broke (AIUI) about a
> week ago.
>
> Apparently bash has it's own "heartbleed" now, dubbed "shellshock". Warm
> fuzzy flashbacks of "TMNT: The Arcade Game" aside, this appears to be pretty
> nasty *and* it affects pretty much every version of bash ever released. And
> of course bash exists on practically everything, so...pretty big deal.
> Security sites, blogs-o'-spheres, cloudosphere, etc are all over this one.
> (Don't know how I managed to miss it until now.)
>
> Patches have been issued (and likely more to come from what I gather), so:
>
> Go update bash on all your computers and server, NOW. No, don't hit reply,
> do it now. Personally, I'd keep updating fairly frequently until the whole
> matter settles down a bit.
>
At work we do two things:
1) Add our main email to the Debian Security ML, so we tend to know
about any vulnerabilities that need patching at least 24 hours before
it hits the media.
2) Use an automated configuration management system, such as Puppet.
By the time we read the initial email, the fix had already been
applied to all servers without manual intervention. ;)
Of course, merely updating your packages is not enough to keep you
safe. You must also consider which front-end facing applications are
using the now patched software, and restart it.
grep libvulnerable /proc/*/maps | grep deleted
Iain
More information about the Digitalmars-d-announce
mailing list