0

On the internet, I noticed there were Patches for the Shellshock vulnerability which is scaring me a lot. Does Ubuntu 14.10 have this automatically in it?

Bran
  • 785
  • 3
  • 10
  • 19
  • 1
    yes, it was patched. http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-how-do-i-fix-it – Panther Oct 08 '14 at 02:50
  • 1
    No. Shellshock is several bugs, all of which are very similar, that affect how Bash stores and uses variables. Some of these bugs have been fixed, some have not, not even in Trusty. On the Shellshock Wikipedia page there are commands and short scripts you can run to test for each vulnerability. Some patches are still in development, so my answer is no. It probably will get the patches before launch though. – John Scott Oct 08 '14 at 02:55
  • 2
    @FuzzyToothpaste my system passed all those tests on wikipedia. – Panther Oct 08 '14 at 03:10
  • Shellshock, is quite terrifying. Oh man... Im worried about Linux. Theoretically, if I have no LISTENING services on netstat -tulanp, I am safe from shellshock right? – Bran Oct 08 '14 at 03:24
  • 1
    @Bran Linux is not vulnerable. Bash is. Linux is just the kernel Maybe you should have a look at https://www.gnu.org/gnu/linux-and-gnu.html – John Scott Oct 08 '14 at 03:56
  • 1
    So basically, if you go with another shell, you're safe , right? – Sergiy Kolodyazhnyy Oct 08 '14 at 06:10
  • 1
    @Xieerqi Depends. If you use dash, Ubuntu's default shell, you're probably still vulnerable. Anything based on Bash is probably vulnerable. Obviously, if you use a completely unrelated shell, say Windows Command Prompt with Wine, you're probably fine. – John Scott Oct 08 '14 at 20:51
  • 1
    @FuzzyToothpaste, so what if I changed default shell with chsh to something else, like tcsh or mksh ? Does that mean I'm still using dash? Because upon boot, if I go to tty, it opens with the shell I changed to. – Sergiy Kolodyazhnyy Oct 08 '14 at 21:29
  • Thats a good question. I remember RHEL3 was csh as the default (I think). So for example if you have a Linux umm... Linux Distro that doesnt have bash, then we are safe right? – Bran Oct 09 '14 at 01:30
  • 1
    @Xieerqi Probably. I don't know. – John Scott Oct 09 '14 at 04:12

1 Answers1

1

As Ubuntu 14.10 is not set for release until October 26th changes can occur in what is found in the final disc image. No definite answer can be given until release as to what will appear. The changelog is available that shows actions taken with regards to package changes and the most recent new upload to 14.10 of bash as of answer submission was made on 2014-10-07.

Stephen Michael Kellat
  • 1,221