From: Leo Famulari <leo@famulari.name>
To: ng0 <ngillmann@runbox.com>
Cc: guix-devel@gnu.org
Subject: Re: is Linux.DDoS.93 unable to work?
Date: Fri, 30 Sep 2016 19:09:44 -0400 [thread overview]
Message-ID: <20160930230944.GA6569@jasmine> (raw)
In-Reply-To: <87oa35z1wa.fsf@we.make.ritual.n0.is>
On Fri, Sep 30, 2016 at 06:19:17PM +0000, ng0 wrote:
> > On Fri, Sep 30, 2016 at 05:47:35PM +0000, ng0 wrote:
> >> https://vms.drweb.com/virus/?_is=1&i=8598428
> >>
> >> As far as I see it, Guix as GuixSD and systems with just Guix but with
> >> software/files which is coming from Guix assumed by this trojan to exist in
> >> 'normal' locations should not be able to get infected,
> >> is this observation correct? I did not feel like this is a case which
> >> should go to the -security list, as it's a general question.
I'd like <guix-security@gnu.org> to be used for bugs that must be
reported privately. This choice is up to the bug reporter. If a bug is
already known publicly, we should discuss it openly on guix-devel.
> softpedia quotes:
> Dr.Web security researchers, the ones who have discovered this threat,
> say the trojan seems to infect Linux machines via the Shellshock
> vulnerability, still unpatched in a large number of devices.
If the attack vector is the Bash Shellshock bug (CVE-2014-6271), then we
should be safe. As far as I can tell, we patched our Bash package
against that vulnerability with "gnu: bash: Apply patch series up to 25
[CVE-2014-6271]." (c1fe82d5866b).
Is there something else we need to worry about here?
prev parent reply other threads:[~2016-10-01 0:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-30 17:47 is Linux.DDoS.93 unable to work? ng0
2016-09-30 18:06 ` Leo Famulari
2016-09-30 18:19 ` ng0
2016-09-30 23:09 ` Leo Famulari [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160930230944.GA6569@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
--cc=ngillmann@runbox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).