You should always be patching your shit, regardless of OS.
Also, unless you're running a website that utilizes bash CGI scripts (seriously, who the fuck does that in 2014?!), the attack vector for this is very small. Still, patch your shit.
From what I'm reading, it doesn't seem like this is an emergency for a personal computer. I'd rather just wait for the inevitable OSX patch than recompile bash manually and risk messing up my day futzing with my localhost.
2
KwitkoSheriff of Banning (Retired)By the thing near the stuffIcrontian
@Linc said:
From what I'm reading, it doesn't seem like this is an emergency for a personal computer. I'd rather just wait for the inevitable OSX patch than recompile bash manually and risk messing up my day futzing with my localhost.
... PHRASING
1
Straight_ManGeeky, in my own wayNaples, FLIcrontian
Comments
You should always be patching your shit, regardless of OS.
Also, unless you're running a website that utilizes bash CGI scripts (seriously, who the fuck does that in 2014?!), the attack vector for this is very small. Still, patch your shit.
On top of that, it looks like there are still quite a few attack vectors available even in the patched versions.
Looks like 4.3.25 finally does fix the issue. Patch yer shit. OSX people as well, and Windows users who use Git for Windows.
4.3.25 is what I just pushed out to all of my AIX boxes. My jimmie is wrapped.
And likely your home routers. And maybe your Nest Thermostat. Who knows. Every-fucking-thing.
Crap, hadn't thought about router.
Also, cable-boxes, blu-ray players, smart tvs
@primesuspect the smoothwall
From what I'm reading, it doesn't seem like this is an emergency for a personal computer. I'd rather just wait for the inevitable OSX patch than recompile bash manually and risk messing up my day futzing with my localhost.
Congratulations, @Linc, I think you just accidentally invented the most incredible computer geek euphemism for masturbation.
Since the attack vector is through a browser visiting a malicious website, I don't think I'd worry about those.
... PHRASING
https://www.us-cert.gov/ncas/alerts/TA14-268A
US Cert/DHS's take on this.
https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellshock+/18707
InfoSec's FAQ.
https://isc.sans.edu/forums/diary/Webcast+Briefing+Bash+Code+Injection+Vulnerability/18709
Sans InfoSec Slideshow by Johannes B. Ullrich, PhD
Patched all the devices I could SSH into. So far, so good.