[Linux-aus] What's the real story about Shellshock and Bash and vulnerabilities in Linux and OpenSource?

[Ian]

The journos are having a field day over the discovery of the
vulnerabilities in Bash, the vulnerability now called Shellshock. They talk
of 500million affected sites. Any Apache server is easily taken over. Some
reporting that the patches not fully safe yet.
http://www.bbc.com/news/technology-29361794
"The new bug has turned the spotlight, once again, onto the reliance the
technology industry has on products built and maintained by small teams
often made up of volunteers."
And even more fingers being pointed at the Open Source community,
 "That such key parts of everyday technology are maintained in this way is
a cause for concern," said Tony Dyhouse from the UK's Trustworthy Security
Initiative.

"To achieve a more stable and secure technology environment in which
businesses and individuals can feel truly safe, we have to peel back the
layers, start at the bottom and work up," he said."This is utterly
symptomatic of the historic neglect we have seen for the development of a
dependable and trustworthy baseline upon which to develop a software
infrastructure for the UK.
"Ultimately, this is a lifecycle problem. It's here because people are
making mistakes whilst writing code and making further mistakes when
patching the original problems."
"
What is the real story? How vulnerable are our servers? Will the patches
resolve the problem?

Should there be a focus within the Linux world to track down all the little
bits that make up the foundation of the software and making sure they are
being maintained and secure and above all trusted? Perhaps LA or the next
LCA could/should pick this up as a theme and be a leader in the open source
world?

-- 
-- Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux.org.au/pipermail/linux-aus/attachments/20140926/e9ff365c/attachment.htm