[Linux-aus] What's the real story about Shellshock and Bash and vulnerabilities in Linux and OpenSource?
David Jorm
djorm at redhat.com
Fri Sep 26 09:48:53 EST 2014
Unfortunately I will be overseas while OSDC is on, but I am happy to give a presentation on open source security or run a hackathon/testathon at another event. I recently ran one focusing on Apache big data technologies, and in one day 6 people found multiple code execution flaws.
Thanks
David
> Well I'm happy to propose some sort of BOF on this at OSDC in November. We
> definitely need some more (security) eyes on these "less sexy" open source
> projects. We all use them every day without a second thought on who is
> maintaining them.
>
> Are there any specific neglected core projects people know about that need
> some love .... maybe organising some sort of hackathon/testathon around one
> of these could be a positive thing we could do???
>
> Steve
>
> Ps. If you haven't booked your ticket yet.... Please come see us on the
> lovely gold coast this year, OSDC is now shaping up quite nicely (albeit a
> bit last minute!)
>
> http://2014.osdc.com.au/registration
>
> On Fri, Sep 26, 2014 at 7:11 AM, Ian < ilox11 at gmail.com > wrote:
> > The journos are having a field day over the discovery of the
> > vulnerabilities
> > in Bash, the vulnerability now called Shellshock. They talk of 500million
> > affected sites. Any Apache server is easily taken over. Some reporting that
> > the patches not fully safe yet.
> > http://www.bbc.com/news/technology-29361794
> > "The new bug has turned the spotlight, once again, onto the reliance the
> > technology industry has on products built and maintained by small teams
> > often made up of volunteers."
> > And even more fingers being pointed at the Open Source community,
> > "That such key parts of everyday technology are maintained in this way is a
> > cause for concern," said Tony Dyhouse from the UK's Trustworthy Security
> > Initiative.
> >
> > "To achieve a more stable and secure technology environment in which
> > businesses and individuals can feel truly safe, we have to peel back the
> > layers, start at the bottom and work up," he said."This is utterly
> > symptomatic of the historic neglect we have seen for the development of a
> > dependable and trustworthy baseline upon which to develop a software
> > infrastructure for the UK.
> > "Ultimately, this is a lifecycle problem. It's here because people are
> > making mistakes whilst writing code and making further mistakes when
> > patching the original problems."
> >
> > "
> > What is the real story? How vulnerable are our servers? Will the patches
> > resolve the problem?
> >
> > Should there be a focus within the Linux world to track down all the little
> > bits that make up the foundation of the software and making sure they are
> > being maintained and secure and above all trusted? Perhaps LA or the next
> > LCA could/should pick this up as a theme and be a leader in the open source
> > world?
> >
> > --
> > -- Ian
> >
> >
> > _______________________________________________
> > linux-aus mailing list
> > linux-aus at lists.linux.org.au
> > http://lists.linux.org.au/listinfo/linux-aus
> >
>
> --
> Refactor. Engage | Succeed | Repeat
> tel: +61 (0)7 5668 3424
> mob: +61 (0)414 464564
> web: refactor.com.au
>
> _______________________________________________
> linux-aus mailing list
> linux-aus at lists.linux.org.au
> http://lists.linux.org.au/listinfo/linux-aus
>
More information about the linux-aus
mailing list