Shellshock update

This post comes a bit late, long after Red Hat and the Fedora Project pushed a new update to close the gap in the original patch that went out Wednesday. If you haven’t already done a “yum update”, you’ll probably want to do that now. Related stuff below.

This is for Fedora:

Shellshock update: bash packages that resolve CVE-2014-6271 and CVE-2014-7169 available

Red Hat Enterprise Linux:

Bash specially-crafted environment variables code injection attack (Updated)

Also see Red Hat Security’s Shellshock FAQ.

Red Hat SELinux expert Dan Walsh chimes in on how a properly configured (and enforcing!) SELinux installation could have provided some protection for unpatched systems.

A really good, detailed, explanation of how Shellshocker works by Fedora Project lead Matt Miller:

Shellshock: How does it actually work?

I’m still looking for a detailed, step-by-step howto on deploying and configuring mod_security to meet these kinds of threats, without breaking existing apps. Maybe one will be forthcoming soon (Mitigating the shellshock vulnerability is a good technical resource for those who are already successfully running mod_security, but it might be daunting for anyone deploying the module for the first time during this crisis).

shellshock-150x150

Shell based off “Shell”
CC-BY 3.0 by Guillaume Kurkdjian
http://thenounproject.com/term/shell/40512/

This entry was posted in Security on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).