[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: is Linux.DDoS.93 unable to work?
|
From: |
Leo Famulari |
|
Subject: |
Re: is Linux.DDoS.93 unable to work? |
|
Date: |
Fri, 30 Sep 2016 19:09:44 -0400 |
|
User-agent: |
Mutt/1.7.0 (2016-08-17) |
On Fri, Sep 30, 2016 at 06:19:17PM +0000, ng0 wrote:
> > On Fri, Sep 30, 2016 at 05:47:35PM +0000, ng0 wrote:
> >> https://vms.drweb.com/virus/?_is=1&i=8598428
> >>
> >> As far as I see it, Guix as GuixSD and systems with just Guix but with
> >> software/files which is coming from Guix assumed by this trojan to exist in
> >> 'normal' locations should not be able to get infected,
> >> is this observation correct? I did not feel like this is a case which
> >> should go to the -security list, as it's a general question.
I'd like <address@hidden> to be used for bugs that must be
reported privately. This choice is up to the bug reporter. If a bug is
already known publicly, we should discuss it openly on guix-devel.
> softpedia quotes:
> Dr.Web security researchers, the ones who have discovered this threat,
> say the trojan seems to infect Linux machines via the Shellshock
> vulnerability, still unpatched in a large number of devices.
If the attack vector is the Bash Shellshock bug (CVE-2014-6271), then we
should be safe. As far as I can tell, we patched our Bash package
against that vulnerability with "gnu: bash: Apply patch series up to 25
[CVE-2014-6271]." (c1fe82d5866b).
Is there something else we need to worry about here?