Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0EB4117CB7 for ; Mon, 29 Sep 2014 18:42:01 +0000 (UTC) Received: (qmail 66409 invoked by uid 500); 29 Sep 2014 18:41:55 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 66375 invoked by uid 500); 29 Sep 2014 18:41:55 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 66364 invoked by uid 99); 29 Sep 2014 18:41:55 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Sep 2014 18:41:55 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of ph1@openstrike.co.uk designates 89.16.177.71 as permitted sender) Received: from [89.16.177.71] (HELO primary1.mail.openstrike.co.uk) (89.16.177.71) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Sep 2014 18:41:27 +0000 Received: from palma.openstrike.co.uk (labs [81.187.19.186]) (Authenticated sender: qdxpete) by primary1.mail.openstrike.co.uk (Postfix) with ESMTP id 25FD72CC001 for ; Mon, 29 Sep 2014 19:41:27 +0100 (BST) Received: from palma.openstrike.co.uk (localhost.localdomain [127.0.0.1]) by palma.openstrike.co.uk (8.14.5/8.14.5) with ESMTP id s8TIfQbe014587 for ; Mon, 29 Sep 2014 19:41:26 +0100 Received: (from pete@localhost) by palma.openstrike.co.uk (8.14.5/8.14.5/Submit) id s8TIfQ81014586 for users@httpd.apache.org; Mon, 29 Sep 2014 19:41:26 +0100 X-Authentication-Warning: palma.openstrike.co.uk: pete set sender to ph1@openstrike.co.uk using -f Date: Mon, 29 Sep 2014 19:41:26 +0100 From: Pete Houston To: users@httpd.apache.org Message-ID: <20140929184126.GO1772@palma.openstrike.co.uk> References: <20140926154143.64f5f81f@baldur> <767AC8C9-DEAF-4F26-8F28-9E8DA35EF546@webthing.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="f9b3biUB1f7FHqGn" Content-Disposition: inline In-Reply-To: Organization: Openstrike User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Proposed simple shell-shock protection --f9b3biUB1f7FHqGn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 29, 2014 at 01:09:19PM -0500, Sharon Zastre wrote: > Is it safe to assume that a fix/patch/upgrade will become available to ad= dress the shellshock vulnerability? Yes, but not in apache. The vulnerability dubbed "shellshock" is a flaw in bash and patches and upgrades are already widely available for bash. Upgrade or patch your bash installations now. It is not a flaw in apache. Apache is simply a network-enabled channel through which exploitative payloads may be delivered to unpatched installations of bash (one of many such channels). Pete --=20 Openstrike - improving business through open source http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107 --f9b3biUB1f7FHqGn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlQpp9UACgkQdzfnYmsKt518MwCfSiE7Kn9zNPJ0hXzPbZweJL89 1JAAnibwLRqjzYCYC4Awof9iHWU8sUuR =k/cC -----END PGP SIGNATURE----- --f9b3biUB1f7FHqGn--