On 29 Sep 2014, at 19:41, Pete Houston wrote:
> It is not a flaw in apache. Apache is simply a network-enabled channel
> through which exploitative payloads may be delivered to unpatched
> installations of bash (one of many such channels).
Yep. mod_taint (or any other Apache-based solution) is
On Mon, Sep 29, 2014 at 01:09:19PM -0500, Sharon Zastre wrote:
> Is it safe to assume that a fix/patch/upgrade will become available to
> address the shellshock vulnerability?
Yes, but not in apache. The vulnerability dubbed "shellshock" is a
flaw in bash and patches and upgrades are already wide
[mailto:n...@webthing.com]
Sent: Monday, September 29, 2014 12:59 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Proposed simple shell-shock protection
On 29 Sep 2014, at 17:35, Sharon Zastre wrote:
> Thank you Nick for quickly looking into a solution/work around for the
> shel
On 29 Sep 2014, at 17:35, Sharon Zastre wrote:
> Thank you Nick for quickly looking into a solution/work around for the
> shellshock vulnerability. But I'm confused as to how to implement it. I am
> currently at Apache 2.4.9 with OpenSSL 1.0.1g. Do I need to upgrade to
> 2.4.10 or 2.5(?) fi
Thank you Nick for quickly looking into a solution/work around for the
shellshock vulnerability. But I'm confused as to how to implement it. I am
currently at Apache 2.4.9 with OpenSSL 1.0.1g. Do I need to upgrade to 2.4.10
or 2.5(?) first? Will it simply be in the install and I include mod_
