[CentOS-devel] Critical update for bash was released today.
Nico Kadel-Garcia
nkadel at gmail.comSat Sep 27 02:12:30 UTC 2014
- Previous message: [CentOS-devel] Critical update for bash was released today.
- Next message: [CentOS-devel] Critical update for bash was released today.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Sep 26, 2014 at 9:34 AM, Karanbir Singh <mail-lists at karan.org> wrote: > On 09/25/2014 08:41 PM, Nico Kadel-Garcia wrote: > >> Thinking about it, the git CentOS repository could possibly be >> vulnerable, depending on just how the git credentials are managed >> there I'd urge a check. > > no shell out happens at git.centos.org > > gitweb however, is exposed. As is anything that does a system() call. Cool. I'm curious how you do it, but would understand not wanting to discuss that kind of security detail on a public mailing list. Thinking further about it, if the web side uses something like Apache's 'mod_cgi', there are some separate risks there as well. I'd hope there's no inappropriate write access for the 'httpd' user, even if you're vulnerable. (I mention that for folks not as familiar with escalation attacks.)
- Previous message: [CentOS-devel] Critical update for bash was released today.
- Next message: [CentOS-devel] Critical update for bash was released today.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS-devel mailing list