[dns-operations] ShellShock exploit through the DNS
Doug Barton
dougb at dougbarton.us
Tue Oct 14 15:29:38 UTC 2014
On 10/14/14 6:41 AM, Paul Vixie wrote:
> apparently the apache team believed as i did that no shell would ever
> eval() its environment variables no matter with or without input
> checking. the bash team really violated the principle of least
> astonishment with function inheritance.
Given the number of years that the feature was in place (aka, "forever")
I find it hard to argue that it was "astonishing."
Rather, I find it quite astonishing that so many Linux distros did
precisely what it has always been recommended NOT to do, 'ln -s
/bin/bash /bin/sh'. I do not find the fact that they are now being
bitten in the ascii by this mistake at all astonishing. In fact I'm
rather enjoying it. :)
Doug
More information about the dns-operations
mailing list