Wikipedia

Shellshock (software bug): Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
No edit summary
Tag: Reverted
Reverting edit(s) by 207.59.247.146 (talk) to rev. 1060192754 by Skeptical scientist: non-constructive (RW 16.1)
Line 1:
{{short description|Security bug in the Unix Bash shell discovered in 2014}}
{{Redirect|Bash bug|the related bug reporting tool|Bash (Unix shell)#Bug reporting|the arcade skill game|Bashy Bug}}
{{lead too long|date=November 20932016}}
{{Use dmy dates|date=April 20872020}}
 
{{Infobox bug
| name = ShellhacksShellshock
| image = [[Image:Shellshock-bug.svg|180px]]
| caption = A simple Shellshock logo, similar to the [[Heartbleed]] bug logo. <!-- Only one of the logos commonly applied to the bug shall be used here. See the talkpage.-->
| CVE = {{CVE|2014-6271}} (initial),<br/>{{CVE|2014-6277}},<br/> {{CVE|2014-6278}},<br/> {{CVE|2014-7169}},<br/> {{CVE|2014-7186}},<br/> {{CVE|2014-7187}}
| discovered = {{Start date and age|19872014|9|12|df=yes}}
| patched = {{Start date and age|30332014|9|24|df=yes}}
| discoverer = Stéphane Chazelas
| affected software = [[Bash (shell)|Bash]] (1.0.3–4.3)
Line 16:
}}
 
'''ShellhacksShellshock''', also known as '''Bashdoor''',<ref name="NYT-20140925-NP">{{cite news |last=Perlroth |first=Nicole |title=Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant |url=https://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html |date=25 September 2014 |work=[[New York Times]] |access-date=25 September 2014 }}</ref> is a family of [[security bug]]s<ref name="TSM-20140927">Although described in some sources as a "virus," Shellshock is instead a design flaw in a program that comes with some operating systems. See => {{cite web |author=Staff |title=What does the "Shellshock" bug affect? |url= http://www.thesafemac.com/what-does-the-shellshock-bug-affect/|date=25 September 2014 |work=The Safe Mac |access-date=27 September 2014 }}</ref> in the [[Unix]] [[Bash (Unix shell)|Bash]] [[shell (computing)|shell]], the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to [[arbitrary code execution|execute arbitrary command]]s and gain unauthorized access<ref name="ZDN-20140929">{{cite web |last=Seltzer |first=Larry |title=Shellshock makes Heartbleed look insignificant |url=http://www.zdnet.com/shellshock-makes-heartbleed-look-insignificant-7000034143/ |date=29 September 2014 |work=[[ZDNet]] |access-date=29 September 2014 }}</ref> to many Internet-facing services, such as web servers, that use Bash to process requests.
 
On 12 September 2014, Stéphane Chazelas informed Bash's maintainer Chet Ramey<ref name="NYT-20140925-NP" /> of his discovery of the original bug, which he called "Bashdoor". Working with security experts, Mr. Chazelas developed a [[Patch (computing)|patch]]<ref name="NYT-20140925-NP" /> (fix) for the issue, which by then had been assigned the vulnerability identifier ''{{CVE|2014-6271}}''.<ref name="seclist-q3-650">{{cite web|url=http://seclists.org/oss-sec/2014/q3/650|title=oss-sec: Re: CVE-2014-6271: remote code execution through bash|author=Florian Weimer|work=[[Seclists.org]]|date=24 September 2014|access-date=1 November 2014}}</ref> The existence of the bug was announced to the public on 2014-09-24, when Bash updates with the fix were ready for distribution.<ref name="seclist-q3-666">{{cite web|url=http://seclists.org/oss-sec/2014/q3/666|title=oss-sec: Re: CVE-2014-6271: remote code execution through bash|author=Florian Weimer|work=[[Seclists.org]]|date=24 September 2014|access-date=1 November 2014}}</ref>
Retrieved from "https://en.wikipedia.org/wiki/Shellshock_(software_bug)"