General fluff => Announcements => Topic started by: IsmAvatar on September 25, 2014, 11:33:12 am

Title: Major Security Bug "ShellShock"
Post by: IsmAvatar on September 25, 2014, 11:33:12 am
If you haven't heard the news, another security vulnerability probably worse than Heartbleed has been discovered in Bash.
With it, an attacker can craft a very simple http response and have your server run arbitrary code.

As soon as we heard the news, we immediately tested it and updated bash to the latest patched version, just to be sure.

We do not believe our server was vulnerable to these types of attacks, as our apache does not seem to interact with Bash in that way. Our bash was indeed vulnerable, but again, nothing seemed to use it, so no harm there.

Other sites may still be vulnerable. An attack could publish database information, files, and other requests from users. This means that an attacker could gain access to passwords, credit card information, and public keys, even if the server isn't storing them - just from the fact that they are sent over the net to the server at some point.

Standard security precautions are recommended. Change your passwords regularly. Be careful where you enter your credit card information, and frequently monitor your account transactions and statements.
Title: Re: Major Security Bug "ShellShock"
Post by: Darkstar2 on September 25, 2014, 12:52:32 pm
Yes thanks, I had posted a topic about this yesterday here:

Title: Re: Major Security Bug "ShellShock"
Post by: The 11th plague of Egypt on September 26, 2014, 07:01:44 am
I heard the first patch didn't really fix anything.
How's the situation right now?
Title: Re: Major Security Bug "ShellShock"
Post by: IsmAvatar on September 26, 2014, 08:47:51 am
I haven't heard anything about that, but Josh and I did some pretty thorough testing of the vulnerability to verify if we were vulnerable before and after an update, and we were able to verify that we were not vulnerable afterwards by any of our battery of tests - while bash was exhibiting symptoms prior to the upgrade. Perhaps we got both patches, or they patched the patch. Whatever the case, we pass the best battery of tests we could find.