Vijest je stara 4 dana...
http://www.fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability
Vijest je stara 4 dana...
http://www.fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability
ovaj odgovor je diktirao sam stallman :)
GNU Bash's license, the GNU General Public License version 3, has facilitated a rapid response. It allowed Red Hat to develop and share patches in conjunction with Bash upstream developers efforts to fix the bug, which anyone can download and apply themselves. Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.
Zakrpe su izdane samo nekoliko sati nakon što je izašao CVE.
Zakrpe su izdane samo nekoliko sati nakon što je izašao CVE.
Sad je bio bash, a moze postat nesh :D aka nesh vise
ovaj odgovor je diktirao sam stallman :)
GNU Bash's license, the GNU General Public License version 3, has facilitated a rapid response. It allowed Red Hat to develop and share patches in conjunction with Bash upstream developers efforts to fix the bug, which anyone can download and apply themselves. Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.
Stvarno pohvalno no međutim:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277
Posebno ovaj dio:
NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.
Nakon što je pola svijeta cijeli vikend patchiralo svoje sustave, cijeli proces će se sada morati ponoviti.
Majstorski...
ovaj odgovor je diktirao sam stallman :)
GNU Bash's license, the GNU General Public License version 3, has facilitated a rapid response. It allowed Red Hat to develop and share patches in conjunction with Bash upstream developers efforts to fix the bug, which anyone can download and apply themselves. Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.
Stvarno pohvalno no međutim:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277
Posebno ovaj dio:
NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.
Nakon što je pola svijeta cijeli vikend patchiralo svoje sustave, cijeli proces će se sada morati ponoviti.
Majstorski...
A ono, nije mi bio problem na telefonu kliknut login i upisati aptitude -y upgrade na par servera... Radim to ionako svakih par dana jer izlaze i drugi fixevi koji nisu toliko "popularni".
Divno. Good for you.
Sve velike financijske institucije i druge velike kompanije su ovaj vikend mobilizirali sve admine u svim državama gdje posluju kako bi što prije vidjeli koliko su izloženi te patchirali tisuće servera s fiksom za kojeg su vjerovali da je konačni. Da ne kažem da se svi procesi koji su bili pokrenuti iz basha (recimo Apache kao najproblematičniji) nakon primjene patcha moraju restartati što u večini slučajeva znači prekid produkcije a u najmanju ruku prekid produkcije za barem jedan dio korisnika. I sada je sav taj trud uzaludan i zapravo se preporuča gašenje svih nepotrebnih sustava izloženih prema Internetu kako bi se minimizirala površina napada.
No ti si preko mobitela patchirao svojih par serverćića. I ne vidiš nikakav problem da to napraviš još nekoliko puta. Stvarno blago tebi.
http://www.theinquirer.net/inquirer/news/2372788/ineffective-bash-shellshock-bug-fix-means-hackers-are-still-exploiting-the-vulnerability
izgleda da situacija polako izmiče kontroli dok se učinkoviti patch ne primjeni. rusi su u navali.
"So far, attackers have deployed scanners looking for vulnerable machines that have been bombarding networks with traffic since midday Wednesday. Through threat intelligence collected from Fireeye's Dynamic Threat Intelligence (DTI) centre, we are seeing frenzied activity all over the world."
"Some of this suspicious activity appears to be originating from Russia. We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack.
a i zanimljivo je sljedeće:
While Google and Amazon both issued statements announcing the steps they've taken to contain the vulnerability, Apple, whose Mac OS X operating system is one of the potential targets of the exploit, characteristically played down the risk to consumers
Trošim JuiceSSH, bio je free jedan dan na amazonu. Srećom da ostali sustavi nemaju problema baš nikada i ne iziskuju da admini troše svoje vrijeme radi pogrešaka drugih :)