[LUG.ro] Free Software Foundation statement on the GNU Bash "shellshock" vulnerability

[LeandroAC]

Fyi

---------- Mensaje reenviado ----------
De: "Free Software Foundation"
Fecha: sep 25, 2014 6:53 PM
Asunto: Free Software Foundation statement on the GNU Bash "shellshock"
vulnerability
Cc:

> Free Software Foundation statement on the GNU Bash "shellshock"
vulnerability
>
> This post can be viewed online at
https://fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability
.
>
> A major security vulnerability has been discovered in the free software
shell GNU Bash. The most serious issues have already been fixed, and a
complete fix is well underway. GNU/Linux distributions are working quickly
to release updated packages for their users. All Bash users should upgrade
immediately, and audit the list of remote network services running on their
systems.
>
> Bash is the GNU Project's shell; it is part of the suite of software that
makes up the GNU operating system. The GNU programs plus the kernel Linux
form a commonly used complete free software operating system, called
GNU/Linux. The bug, which is being referred to as "shellshock," can allow,
in some circumstances, attackers to remotely access and control systems
using Bash (and programs that call Bash) as an attack vector, regardless of
what kernel they are running. The bug probably affects many GNU/Linux
users, along with those using Bash on proprietary operating systems like
Apple's OS X and Microsoft Windows. Additional technical details about the
issue can be found at CVE-2014-6271 and CVE-2014-7169.
>
> GNU Bash has been widely adopted because it is a free (as in freedom),
reliable, and featureful shell. This popularity means the serious bug that
was published yesterday is just as widespread. Fortunately, GNU Bash's
license, the GNU General Public License version 3, has facilitated a rapid
response. It allowed Red Hat to develop and share patches in conjunction
with Bash upstream developers efforts to fix the bug, which anyone can
download and apply themselves. Everyone using Bash has the freedom to
download, inspect, and modify the code -- unlike with Microsoft, Apple, or
other proprietary software.
>
> Software freedom is a precondition for secure computing; it guarantees
everyone the ability to examine the code to detect vulnerabilities, and to
create new and safe versions if a vulnerability is discovered. Your
software freedom does not guarantee bug-free code, and neither does
proprietary software: bugs happen no matter how the software is licensed.
But when a bug is discovered in free software, everyone has the permission,
rights, and source code to expose and fix the problem. That fix can then be
immediately freely distributed to everyone who needs it. Thus, these
freedoms are crucial for ethical, secure computing.
>
> Proprietary, (aka nonfree) software relies on an unjust development model
that denies users the basic freedom to control their computers. When
software's code is kept hidden, it is vulnerable not only to bugs that go
undetected, but to the easier deliberate addition and maintenance of
malicious features. Companies can use the obscurity of their code to hide
serious problems, and it has been documented that Microsoft provides
intelligence agencies with information about security vulnerabilities
before fixing them.
>
> Free software cannot guarantee your security, and in certain situations
may appear less secure on specific vectors than some proprietary programs.
As was widely agreed in the aftermath of the OpenSSL "Heartbleed" bug, the
solution is not to trade one security bug for the very deep insecurity
inherently created by proprietary software -- the solution is to put energy
and resources into auditing and improving free programs.
>
> Development of Bash, and GNU in general, is almost exclusively a
volunteer effort, and you can contribute. We are reviewing Bash
development, to see if increased funding can help prevent future problems.
If you or your organization use Bash and are potentially interested in
supporting its development, please contact us.
>
> The patches to fix this issue can be obtained directly at
http://ftp.gnu.org/gnu/bash/.
>
>
>
> Media Contacts
>
> John Sullivan
> Executive Director
> Free Software Foundation
> +1 (617) 542 5942
> campaigns en fsf.org
>
> Follow us on GNU social | Subscribe to our blogs via RSS | Join us as an
associate member
>
> Sent from the Free Software Foundation,
>
> 51 Franklin Street
> Floor 5
> Boston, Massachusetts 02110-1301
> United States
>
> Unsubscribe from this mailing list.
>
> Stop all email from the Free Software Foundation, including Defective by
Design, and the Free Software Supporter newsletter.