Re: SEMI-OT: bash vulnerability on Oracle Linux

From: Hans Forbrich <fuzzy.graybeard_at_gmail.com>
Date: Thu, 25 Sep 2014 21:27:08 -0600
Message-ID: <5424DD0C.5040804_at_gmail.com>

"For an attack to be successful, a targeted system must be accessible via the Internet and also running a second vulnerable set of code besides Bash, experts said."

It is reminiscent of the old Apache CGI attacks, and indeed depends on CGI-style interaction. Basically, prioritize those machines that have web servers and app servers open to the internet. (Yes, that would include DB Console.)

/Hans

On 25/09/2014 9:02 PM, Rich Jesse wrote:
> Just thought I'd pass along the "shellshock" warning for those of us running
> Linux, Oracle or not:
>
> http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
> https://access.redhat.com/solutions/1207723
>
> To fix my EL6 box running bash 4.1.2-3 (and Oracle 12.1.0.2), was a simple:
>
> yum update bash
>
> ...with the standard "ol6_latest_base" yum repo enabled, and now I've got
> bash 4.1.2-15, which passes the vulnerability test.
>
> YMMV. GL!
>
> Rich
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Sep 26 2014 - 05:27:08 CEST

This message: [ Message body ]
Next message: Steve Karam: "Re: SEMI-OT: bash vulnerability on Oracle Linux"
Previous message: Ls Cheng: "merge and ORA-30926"
Next in thread: Steve Karam: "Re: SEMI-OT: bash vulnerability on Oracle Linux"
Maybe reply: Steve Karam: "Re: SEMI-OT: bash vulnerability on Oracle Linux"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message