I noticed another bash update this morning. Interestingly, the BlueTooth firmware was also updated.
As I said before, there will probably be several updates before this bash bug is finally bashed.
I was somewhat miffed at the reporting of this bug because I interpreted the CVE entry to say that the bug was discovered on 9/9/14 but not reported until 9/24/14. It is long been a mantra in Linux that bugs are reported ASAP, along with proof of concept code, to allow users to adjust their system and/or behavior so as to avoid being affected by the bug. It is well known that proprietary systems frequently keep bugs secret until, for what ever reason, they announce the bug and the patch on the same day, then claim "zero day" fixes. Meanwhile, they sit on other bugs for months or years, or even tell customers that if they want a bug fixed then buy the next version of the OS. Nice. Using their own insecurities as a profit center. I was miffed because I thought RedHat was doing the same thing. Rechecking the CVE I noticed some fine print:
So, the bash bug may not have been or was NOT discovered on the 9th and announced on the 24th like I had originally concluded. it was an ASAP announcement.
As I said before, there will probably be several updates before this bash bug is finally bashed.
I was somewhat miffed at the reporting of this bug because I interpreted the CVE entry to say that the bug was discovered on 9/9/14 but not reported until 9/24/14. It is long been a mantra in Linux that bugs are reported ASAP, along with proof of concept code, to allow users to adjust their system and/or behavior so as to avoid being affected by the bug. It is well known that proprietary systems frequently keep bugs secret until, for what ever reason, they announce the bug and the patch on the same day, then claim "zero day" fixes. Meanwhile, they sit on other bugs for months or years, or even tell customers that if they want a bug fixed then buy the next version of the OS. Nice. Using their own insecurities as a profit center. I was miffed because I thought RedHat was doing the same thing. Rechecking the CVE I noticed some fine print:
20140909 | Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. |
Comment