[dns-operations] ShellShock exploit through the DNS

Doug Barton dougb at dougbarton.us
Tue Oct 14 15:29:38 UTC 2014

On 10/14/14 6:41 AM, Paul Vixie wrote:
> apparently the apache team believed as i did that no shell would ever
> eval() its environment variables no matter with or without input
> checking. the bash team really violated the principle of least
> astonishment with function inheritance.

Given the number of years that the feature was in place (aka, "forever") 
I find it hard to argue that it was "astonishing."

Rather, I find it quite astonishing that so many Linux distros did 
precisely what it has always been recommended NOT to do, 'ln -s 
/bin/bash /bin/sh'. I do not find the fact that they are now being 
bitten in the ascii by this mistake at all astonishing. In fact I'm 
rather enjoying it. :)


More information about the dns-operations mailing list