Magic String – apache2 and bash

To: debian-lts@lists.debian.org
Subject: Magic String – apache2 and bash
From: udeppe@aol.com
Date: Fri, 10 Apr 2015 07:39:26 -0400
Message-id: <[🔎] 14ca3209e22-44af-677@webprd-m46.mail.aol.com>

Hello,

we have running an full patched Debian 6 server (patch level is up to date).
Periodically, vulnerability checks will be made by external security services.
The affected server is an VM primary used as webserver. No database or something else.

At 09. Apr 2015 we had an attack, as described here: http://www.volexity.com/blog/?p=118

The configuration of the server has been checked.
Tests on the console are negative, the shell "Bash" is "Shellshock" safe.
We suspect that the scenario only works in combination of the components – apache2 and bash (4.1-3+deb6u2).

Regards

UDeppe

Reply to:

Follow-Ups:
- Re: Magic String – apache2 and bash
  - From: Matus UHLAR - fantomas <uhlar@fantomas.sk>

Prev by Date: Re: Members of the LTS team and company affiliation
Next by Date: Re: Magic String – apache2 and bash
Previous by thread: Re: Members of the LTS team and company affiliation
Next by thread: Re: Magic String – apache2 and bash
Index(es):
- Date
- Thread