Új hozzászólás Aktív témák

• #33 sh4d0w nagyúr Döglött Róka #6

  Új Válasz 2014-11-12 18:27:07 #33

  Új hozzászólás

  Összes hozzászólása itt Válaszok az összes hozzászólására itt Válaszok erre a hozzászólásra

  Privát üzenet küldése

  

  sh4d0w

  nagyúr

  LOGOUT blog

  válasz Döglött Róka #6 üzenetére

  Te valamit nagyon benéztél:

  2014-09-12 16:10:35 +0100

  Stéphane Chazelas reports the vulnerability in bash to Chet Ramey (the lead bash developer) and the security contacts of Debian, Red Hat, Ubuntu and Mandriva (SUSE was added later). This included “details of the bug and the SSH and HTTP (Apache header) vectors and mitigation and a bit fat warning that it was very serious and not to be disclosed”. This newly-found vulnerability was assigned the identifier CVE-2014-6271. Stéphane Chazelas found this vulnerability in the morning of the same day (2014-09-12 in the UK), after reflecting on an earlier vulnerability he had reported in libc (CVE-2014-0475) that had involved environment variables and was aggrevated by design choices in bash. As is routinely done, release of details was briefly embargoed. Private discussions were held about the best way to solve the problem, and patches were developed by the bash developer Chet Ramey for a planned coordinated announcement. There were conflicting reports about the date; the dates and other information reported by Stéphane Chazelas himself are used here (because he is a primary source). The article “Stéphane Chazelas: the man who found the web’s ‘most dangerous’ internet security bug” by Ben Grubb, The Sydney Morning Herald, September 27, 2014, provides some interesting early information, but it includes an incorrect date of 2014-09-09 as the report date, and it also incorrectly claims that the previous vulnerability Chazelas reported was in bash (it was actually in GNU libc, and merely aggrevated by bash functionality). The article “Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant” by Nicole Perlrothsept, The New York Times, 2014-09-25 gives the correct Shellshock report date, 2014-09-12.

  2014-09-14 14:29:48 +0100

  Stéphane Chazelas proposes that this vulnerability be named “bashdoor”. However, this proposed name is not mentioned in early announcements of the vulnerability, and in the end this name does not catch on.

  2014-09-16 22:00:02 -0400

  Chet Ramey has all final (before disclosure) fixes for the current and all past versions of bash back to 3.0 by 2014-09-16. Source: Stéphane Chazelas.

  2014-09-22 07:16:35 +0200

  Florian Weimer notifies the private PGP-re-encrypting distros list with subject “CVE-2014-6271 in bash”. It had no detail, but instead stated, “At 2014-09-24 14:00 UTC, we are going to disclose a significant security vulnerability in bash. Please contact the Debian security team... to receive details and upstream patches. Today, this alias will be staffed at least until 21:00 UTC (13:00 PDT).” This was later confirmed by Solar Designer.

  2014-09-24 16:05:51 +0200

  Vulnerability announcement released to the public, as planned, as CVE-2014-6271, a few minutes after the established embargo time of 2014-09-24 14:00 UTC. This announcement was reported on the oss-security mailing list by Florian Weimer (Red Hat Product Security Team) in a short and long announcement. At around the same time Chet Ramey releases official patch 25 for bash 4.3 (the current version), aka “bash43-025”, along with related patches for past versions of bash, that is intended to fix the vulnerability. Distributions who had participated in the coordinated disclosure released their patches as well. This public report reflected the original understanding of the problem: “environment variables are processed: trailing code in function definitions was executed, independent of the variable name. In many common configurations, this vulnerability is exploitable over the network.” Up to this time this has been a typical coordinated disclosure process; it will now change into a full disclosure process. forrás

  Senki nem vágyott 5 perc hírnévre és az eredetileg megtalált problémára kiadták a javítást a bejelentéskor. Csak ezután kezdett el Tavis Ormandy és a többi biztonsági szakember foglalkozni a bash parserrel és kiderült, hogy abban még van 5 hiba, amivel probléma generálható.

  https://www.coreinfinity.tech

Új hozzászólás Aktív témák