Press "Enter" to skip to content

Posts tagged as “Shellshock”

Is the FOSS Infrastructure Crumbling?

It appears as if much of the open source infrastructure we depend on is suffering from neglect. That’s the message brought to the SouthEast LinuxFest (SELF) by David Nalley. Listening to his talk, “The Tragedy of Open Source,” it was hard not to think that some of our infrastructure projects are beginning to resemble some disintegrating municipal water and sewer systems, or maybe compare his examples with our crumbling roads and bridges. Nalley is a South Carolina based “recovering sysadmin” who now wears many hats at Apache as well as being an employee at Citrix.

Heartbleed logoThe neglect he mentions has caused more than a few near misses that fell inches short of disaster, with two major incidents happening last year alone.

Take the Heartbleed vulnerability that affected openSSL. Nalley points out that last year when the bug was discovered, there was only one person, earning a mere twenty grand a year, actively maintaining the openSSL project. Also last year, there was only one person maintaining bash when Shellshock was discovered.

Secure Linux Systems Require Savvy Users

Linux securityPatches are available to fix the bash vulnerability known as Shellshock, along with three additional security issues recently found in the bash shell. The patches are available for all major Linux distros as well as for Solaris, with the patches being distributed through the various distros.

After the patch is applied, there are a couple of commands that can be run from a terminal to ascertain that a system is no longer vulnerable. For details, see the article Steven J. Vaughan-Nichols has written for ZDNet. As yet, there is no patch available for OS X, although Apple says that one is on the way, while assuring its users that Mac systems aren’t vulnerable except for the most advanced users.

The good news about all this is that it demonstrates how quickly the Linux community can get the word out and then rally to engineer a solution when a security problem is discovered. The bad news is that not all Linux users listen. Too many users believe that the security features that are baked into Linux offer complete protection, no matter what. Unfortunately, that’s not the case. It never was, nor can it ever be.

My friend Andrew Wyatt, who spent time some years back as the founder and lead developer of the Fuduntu Linux distro, attempted to address this fact recently in a comment to an article on FOSS Force:

Christine HallChristine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Unicorn Media
Latest FOSS News: