On Fri, Sep 26, 2014 at 10:38 AM, Shane Ginnane <[email protected]> wrote: > On Fri, 26 Sep 2014 11:26:55 -0400, John Gilmore wrote: > >>I am not sure that we are dealing with hyperbole here. The dangers >>are real and serious. > > Perhaps, but the potential attack vector is quite narrow as John Mc alluded. > There are no doubt a good number of headless servers out there that may be > vulnerable - sysadmins will need to get off their bums and check. But the > sweeping generalization to include all those misguided souls that are are > iphone owners is ridiculous. They have enough problems without being > unnecessarily lumbered with this one. > > Shane ... >
Shane's point is more of my point. At least on z/OS, this exploit is just not very critical. How many web CGI use bash? Other serious attack vectors were in things (example was DHCP daemon in Linux) which involve "privilege escalation" and the use of a BASH shell script to do some functions. Just doesn't happen in z/OS at present. And your mom, running on a MAC does not really need to be worried. Now, if she is running Windows, she's _used_ to worrying. And Windows has a lot more holes to exploit. For Linux, *BSD, and other long-time UNIX or UNIX-like systems where BASH has been the scripting language of choice, I agree with John's assessment that the results could be nasty. -- There is nothing more pleasant than traveling and meeting new people! Genghis Khan Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
