LUG: We are all patching, right?

Martin Heck mheck at
Sat Sep 27 13:03:26 MDT 2014

And to be a little more aware of things… this is particularly bad with systems that either use bash as /bin/sh and/or use bash shell scripts to do or configure things from the outside world -- Apache with legacy CGI-BIN shell stuff, DCHP clients that run Bash scripts on ifup/ifdown and are passed things from the DHCP server [like, an IP address ;) ]… this does mean that that webserver you thought wasn’t doing anything may now be able to wreck antying www-data (debian-esque) owns. Thankfully, the Debian/Ubuntu dhclient uses /bin/sh, which on those distros is defaulted to “dash”, *not* “bash”. If you’ve got a custom crafted shell for SSH (say, if you’re running something so “operators” can run backups), that’s the big risk with SSH at this point. (note this is my side-reading of things while I’m out sick, so take ti with a grain of salt, and don’t hesitate to send email to security at <mailto:security at>  to pester the actual security folk :) ).





From: lug-bounces at [mailto:lug-bounces at] On Behalf Of Ezekiel T. Chopper
Sent: Friday, September 26, 2014 8:04 PM
To: lug at
Cc: Keith Hellman
Subject: Re: LUG: We are all patching, right?


For Debian you can follow for security updates. Currently there isn't a full patch. There is an initial patch that fixed the surface level bug, but introduced bugs of its own.


Here ( ) is a blog post from the RedHat security people that they will keep updated for news on distros of that variety.


Apple has made a statement that OS X users aren't vulnerable unless they are using "advanced UNIX services" and that a patch for those "advanced" users is in the works, but you should probably download the bash source patch it yourself in Xcode and run your patched version. (They're kind of busy patching iOS 8) info:



Ezekiel Chopper

Undergraduate Computer Science student

Infrastructure Intern at Health Language, Inc.

System Administrator for CARDI, Toilers, and SmartGeo


On Thu, Sep 25, 2014 at 5:07 PM, Kyle Thompson Kluherz <kkluherz at <mailto:kkluherz at> > wrote:

I haven't found a patch for Mint yet, anyone know if there might be one? I'm running the Debian-based edition.



On Thu, Sep 25, 2014 at 4:58 PM, Keith Hellman <khellman at <mailto:khellman at> > wrote:
Keith Hellman                             #include <disclaimer.h>
khellman at <mailto:khellman at>                 from disclaimer import standard
khellman at <mailto:khellman at> 
                    public key @ <>  9FCF40FD
        Y!M: mcprogramming                       AIM/ICQ: 485403897
        jabber: mrtuple at <mailto:mrtuple at>      irc: <>  as mrtuple

"Windows is about choice - you can mix and match software and music player
stuff. We believe you should have the same choice when it comes to music

-- David Fester, General Manager of Microsoft's Windows Digital Media Division <> &tid=187

lug mailing list
lug at <mailto:lug at>


lug mailing list
lug at <mailto:lug at>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6304 bytes
Desc: not available
URL: <>

More information about the lug mailing list