On 26 September 2014 12:33, Adam Bower adam@thebowery.co.uk wrote:
^^^ because of attack vectors like these, after checking logs (of machines on our CDN) I've seen people actively trying to exploit this a few hours after the announcement.
I've run some automated tests on some machines of ours that should be vulnerable on the basis of the bash version alone, but none have thrown up issues. We don't generally enable cgi so I think that's the key for us. (That's not to say I'm not patching them anyway...)
To add to the joys of this, I have had to patch some old versions of Ubuntu (6.06 and 11.04 so far, 8.04 to follow). This can be fun when the servers themselves don't have build tools on them, so I've resorted to creating VMs from old distro ISOs, installing build tools, building the latest bash and copying the binaries across. I mention it in case anyone else needs the binaries (not that you should be trusting me unless you know me, of-course, and they come with zero warranty!) Of-course I shouldn't have any boxes with unsupported versions on them, but the real world isn't always as clean as it should be.. I have x86 binaries only, but can tell you how I created them for anyone stuck on different versions/architectures.