Heartbleed was a memory leak that eventually, after carefully calculated exploiting, can lead to a remote root.

Shellshock depends on a lot of environmental details, but is possible little more than a hard to reach shell with elevated permissions.

I guess heartbleed was actually worse. Who runs webscripts and stuff in root? That's really foolhardy. But using OpenSSL ... We usually thought it good practice!

On Sep 30, 2014 11:41 AM, "Georgi Guninski" <guninski@guninski.com> wrote:

Recently a bash(1) bug called shellsock died.
It affected Apache, DHCP, SSH,qmail,Pure-FTPd and other stuff.
Summary of affected:
https://github.com/mubix/shellshocker-pocs/blob/master/README.md

I find this _much_ worse than the passive Heartbleed.

How worse is the shellshock bash bug than Heartbleed?