This is the mail archive of the
cygwin
mailing list for the Cygwin project.
How vulnerable are bash users to shellshock bug?
- From: Andy <AndyMHancock at gmail dot com>
- To: cygwin at cygwin dot com
- Date: Mon, 29 Sep 2014 02:48:17 +0000 (UTC)
- Subject: How vulnerable are bash users to shellshock bug?
- Authentication-results: sourceware.org; auth=none
According to http://www.vox.com/2014/9/25/6843949/the-bash-bug-explained,
shellshock is exploited when someone submits commands in place of parameter
data to a server, which then tries to shove the info into an environment
variable by a bash invocation.
I (and I suspect many people) only use bash as a command line user
interface. I don't run any services from the cygwin installation, and I
don't invoke any cygwin commands from Windows services (I know very little
about Windows services). Would it be correct to say that the vulnerability
doesn't exist in such a scenario? I can update some cygwin installations,
but some I cannot (and in those cases, cygwin is installed under
non-administrator accounts).
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple