From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: is Linux.DDoS.93 unable to work? Date: Fri, 30 Sep 2016 19:09:44 -0400 Message-ID: <20160930230944.GA6569@jasmine> References: <87mvipl1oo.fsf@we.make.ritual.n0.is> <20160930180618.GA2487@jasmine> <87oa35z1wa.fsf@we.make.ritual.n0.is> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59120) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bq7ww-0000Dy-Tx for guix-devel@gnu.org; Fri, 30 Sep 2016 20:14:43 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bq7ws-0003q5-Le for guix-devel@gnu.org; Fri, 30 Sep 2016 20:14:41 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:35976) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bq7wr-0003lk-5o for guix-devel@gnu.org; Fri, 30 Sep 2016 20:14:38 -0400 Content-Disposition: inline In-Reply-To: <87oa35z1wa.fsf@we.make.ritual.n0.is> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: ng0 Cc: guix-devel@gnu.org On Fri, Sep 30, 2016 at 06:19:17PM +0000, ng0 wrote: > > On Fri, Sep 30, 2016 at 05:47:35PM +0000, ng0 wrote: > >> https://vms.drweb.com/virus/?_is=1&i=8598428 > >> > >> As far as I see it, Guix as GuixSD and systems with just Guix but with > >> software/files which is coming from Guix assumed by this trojan to exist in > >> 'normal' locations should not be able to get infected, > >> is this observation correct? I did not feel like this is a case which > >> should go to the -security list, as it's a general question. I'd like to be used for bugs that must be reported privately. This choice is up to the bug reporter. If a bug is already known publicly, we should discuss it openly on guix-devel. > softpedia quotes: > Dr.Web security researchers, the ones who have discovered this threat, > say the trojan seems to infect Linux machines via the Shellshock > vulnerability, still unpatched in a large number of devices. If the attack vector is the Bash Shellshock bug (CVE-2014-6271), then we should be safe. As far as I can tell, we patched our Bash package against that vulnerability with "gnu: bash: Apply patch series up to 25 [CVE-2014-6271]." (c1fe82d5866b). Is there something else we need to worry about here?