[Info-vax] And now bash has a vulnerability Was: Re: Malware in kernel mode OT: Larry Ellison takes retirement as CEO of Oracle

[Paul Sture]

On 2014-09-24, Johnny Billquist <bqt at softjar.se> wrote:

>
> The code better be VMS-aware, or it most likely will not get anywhere.
>
> And noone argued that you cannot find exploits in VMS.
> I was merely pointing out that any Unix (or Windows, or whatever) 
> exploits are not relevant for VMS. Heck, even buffer overflows in TCP/IP 
> will in all likelyhood be different, and triggered differently than 
> under any other OS. Because even though for TCP/IP, VMS might have 
> ported code from Unix, there will still be changes and differences that 
> are highly relevant when you try to use various bugs for exploits.

But we also have to consider flaws in software ported from *nix.

The one in the headlines today (already patched on Scientific Linux)
is bash.

"Bash specially-crafted environment variables code injection attack"

<https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>

"Bug in Bash shell creates big security hole on anything with *nix in it"

<http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>


-- 
$ exit 13492
%SYSTEM-F-GAMEOVER, all your base are belong to us