With all the attention today to the Shellshock vulnerability, I need a place to keep track of it for my own purposes. If this page or list helps anyone else, that’s great, but this is primarily a tool for me to capture what’s going on. I intend to be updating it regularly while this is all happening. Suggestions are of course welcome in comments.
Note that I have links here to discussion threads on Hacker News. The comment threads are often fully of incredibly useful information.
Security Advisories
- Original report to oss-sec mailing list
- US-CERT: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
- CERT Vulnerability Note VU#252743
- CVE-2014-6271
- CVE-2014-7169
- HN discussion about fix being incomplete: https://news.ycombinator.com/item?id=8365158
- Red Hat Security Blog article (good description) – and bug ticket
- Akamai statement
- UK-Cert Advisory
- FSF Statement about the bash vulnerability
Testing Tools
News about actual exploits
- https://gist.github.com/anonymous/929d622f3b36b00c0be1
- https://gist.github.com/mbulat/a49d0933c48687bcf5d7
- Report by CloudFlare of active exploits (on HN)
- Linux/Bash0day alias Shellshock
- Malware analysis at virustotal (click on Comments tab to read more)
- DHCP remote code exploit proof of concept
- Ars Technica: Concern over Bash vulnerability grows as exploit reported “in the wild”
- David Moreau Simard has a post with an exploit – but also with scripts about how to patch your systems
News about the Shellshock vulnerability in general
- Everything you need to know about the Shellshock Bash bug (Troy Hunt)
- Bash bug as big as Heartbleed (Robert Graham)
- Bash ‘shellshock’ bug is wormable (Robert Graham) – and his earlier post about the test
- Quick notes about the bash bug, its impact, and the fixes so far (Michael Zalewski)
- GigaOm: The critical Shellshock flaw affects many Linux and Apple systems — here’s what you need to know
- ZDNet: Unix/Linux Bash: Critical security hole uncovered
- Shellshock explanation on YouTube