 |
 |
On 09/26/14 10:22, Kim Geiger wrote: > If it's so all-fired important, how come I can't find anything about it at MSU.edu ? > > Anyway, I'm getting conflicting information from things I'm reading (apocalyptic) versus vendors who are telling me that I don't need to patch because the machine isn't running Apache. > > Is anyone else dealing with this? Does anyone care to offer an opinion? > This is a new flaw, so things are in flux right now. I'll bet that some people are still reeling from heartbleed, so keep that in mind. It is however, a real flaw. There are people who would call bash itself a flaw. I'm probably one of them. As for the severity of it, I've talked with a friend who has poked at it, and yes it is real. The biggest problem likely lies ahead: once a flaw is known, others look at it and find new ways to use it. And, look for similar problems elsewhere. The msu advisory didn't say much about the BSD's, but they are vulnerable to various degrees, too. Of course, not using bash at all makes the most sense. --STeve Andre'