Linux vulnerability(bashdoor) found, some Beagle bones may be affected.

My BBB with 14.04 newly installed (Two weeks ago) had the vulnerability. Fortunately, a system update/upgrade will fix.

While this probably doesn’t apply to most of us, there is a recent security issue in Linux systems (Mid September) It is called ‘Bashdoor’ Bash Bug or ‘Shellshock’

From the CLI on your system you can test with:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
ubuntu@arm:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable                                                                                                           <  bad
this is a test

To fix Ubuntu:

apt-get update && apt-get upgrade
After and update, the system was still vulnerable. After upgrade it was OK.
This is probably only an issue if you are running a server like Apache on your bone.

This is why it is important that users who are concerned with security should monitor sites like “Threatpost”. This vulnerability has been made public as of a coupe weeks ago, but has said to have been in Linux for the last 10+ ( 20 ? ) years.

Also as an aside, apt-get update only pulls in the update lists, so wont fix anything until after apt-get upgrade is run. See the man pages for further explanation of what each APT command does.

This Bash bug can be abused when running the web server with CGI scripts, only.

Dne 7.10.2014 20:33, Alan Federman napsal(a):

... and even then only if:-

    The web server is internet facing (unless you have enemies on your
    LAN of course!)

    The web server's CGI scripts use bash, they often use other shells
    or even don't use a shell at all.

There is of course a vulnerability on *any* port open to the internet
where there is a possibility of running somethng which uses bash.

Presumably also the vulnerability is fixed in Ubuntu and Debian if you
simply do an 'apt-get update' and an 'apt-get upgrade'. It was fixed
on my desktop Linux system (Ubuntu) within 24 hours of the bug being
reported.

> [-- text/plain, encoding quoted-printable, charset: UTF-8, 52 lines --]
>
> This Bash bug can be abused when running the web server with CGI
> scripts, only.

Not quite--see below

... and even then only if:-

    The web server is internet facing (unless you have enemies on your
    LAN of course!)

That's true---it's not vulnerable if you can't reach it

    The web server's CGI scripts use bash, they often use other shells
    or even don't use a shell at all.

Apparently there is a problem because bash is used to process environment
variables derived from HTTP header fields for any URL:
http://blog.cloudflare.com/inside-shellshock/

That's why it's such a big deal around the Internet.