Revision as of 18:40, 23 February 2023 edit 193.3.10.230 (talk) kkgirouiriyi jvr lf Tags: Reverted Mobile edit Mobile web edit ← Previous edit		Revision as of 19:21, 23 February 2023 edit undo CodeTalker (talk \| contribs) Extended confirmed users, Rollbackers 38,903 edits Reverted 1 edit by 193.3.10.230 (talk) to last revision by 12.88.248.114 Tags: Twinkle Undo Next edit →
Line 15: \| website = }} ~~v, also known a~~ ~~ash~~'''Shellshock''', also known as '''Bashdoor''',<ref name="NYT-20140925-NP">{{cite news \|last=Perlroth \|first=Nicole \|title=Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant \|url=https://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html \|date=25 September 2014 \|work=[[New York Times]] \|access-date=25 September 2014 }}</ref> is a family of [[security bug]]s<ref name="TSM-20140927">Although described in some sources as a "virus," Shellshock is instead a design flaw in a program that comes with some operating systems. See => {{cite web \|author=Staff \|title=What does the "Shellshock" bug affect? \|url= http://www.thesafemac.com/what-does-the-shellshock-bug-affect/\|date=25 September 2014 \|work=The Safe Mac \|access-date=27 September 2014 }}</ref> in the [[Unix]] [[Bash (Unix shell)\|Bash]] [[shell (computing)\|shell]], the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to [[arbitrary code execution\|execute arbitrary command]]s and gain unauthorized access<ref name="ZDN-20140929">{{cite web \|last=Seltzer \|first=Larry \|title=Shellshock makes Heartbleed look insignificant \|url=http://www.zdnet.com/shellshock-makes-heartbleed-look-insignificant-7000034143/ \|date=29 September 2014 \|work=[[ZDNet]] \|access-date=29 September 2014 }}</ref> to many Internet-facing services, such as web servers, that use Bash to process requests. On 12 September 2014, Stéphane Chazelas informed Bash's maintainer Chet Ramey<ref name="NYT-20140925-NP" /> of his discovery of the original bug, which he called "Bashdoor". Working with security experts, Mr. Chazelas developed a [[Patch (computing)\|patch]]<ref name="NYT-20140925-NP" /> (fix) for the issue, which by then had been assigned the vulnerability identifier ''{{CVE\|2014-6271}}''.<ref name="seclist-q3-650">{{cite mailing list\|url=http://seclists.org/oss-sec/2014/q3/650 \|mailing-list=oss-sec \|title=Re: CVE-2014-6271: remote code execution through bash\|author=Florian Weimer\|date=24 September 2014\|access-date=1 November 2014}}</ref> The existence of the bug was announced to the public on 2014-09-24, when Bash updates with the fix were ready for distribution.<ref name="seclist-q3-666">{{cite mailing list\|url=http://seclists.org/oss-sec/2014/q3/666\|mailing-list=oss-sec \|title=Re: CVE-2014-6271: remote code execution through bash\|author=Florian Weimer\|date=24 September 2014\|access-date=1 November 2014}}</ref> ~~nboyo olm nqe w fke kdvodo e~~ The bug Chazelas discovered caused Bash to unintentionally execute commands when the commands are concatenated to the end of [[subroutine\|function definitions]] stored in the values of [[environment variable]]s.<ref name="NYT-20140925-NP" /><ref name="TR-20140924">{{cite web \|last=Leyden \|first=John \|title=Patch Bash NOW: 'Shell Shock' bug blasts OS X, Linux systems wide open \|url=https://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ \|work=[[The Register]] \|date=24 September 2014 \|access-date=25 September 2014}}</ref> Within days of its publication, a variety of related vulnerabilities were discovered (''{{CVE\|2014-6277\|2014-6278\|2014-7169\|2014-7186\|2014-7187\|leadout=and}}''). Ramey addressed these with a series of further patches.<ref name="ITN-20140929"/><ref name="zdnet-betterbash"/>

Shellshock (software bug): Difference between revisions