How worse is the shellshock bash bug than Heartbleed?
Lodewijk andré de la porte
l at odewijk.nl
Tue Sep 30 02:55:55 PDT 2014
Heartbleed was a memory leak that eventually, after carefully calculated
exploiting, can lead to a remote root.
Shellshock depends on a lot of environmental details, but is possible
little more than a hard to reach shell with elevated permissions.
I guess heartbleed was actually worse. Who runs webscripts and stuff in
root? That's really foolhardy. But using OpenSSL ... We usually thought it
good practice!
On Sep 30, 2014 11:41 AM, "Georgi Guninski" <guninski at guninski.com> wrote:
> Recently a bash(1) bug called shellsock died.
> It affected Apache, DHCP, SSH,qmail,Pure-FTPd and other stuff.
> Summary of affected:
> https://github.com/mubix/shellshocker-pocs/blob/master/README.md
>
> I find this _much_ worse than the passive Heartbleed.
>
> How worse is the shellshock bash bug than Heartbleed?
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1205 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20140930/4c65a23b/attachment-0001.txt>
More information about the cypherpunks
mailing list