Apple finally patches Bash Shellshock vuln that WAS NOT A WORRY, OK?
F5 scrambling to catch up
Apple and F5 are the latest big-name vendors to post responses to the “Shellshock” vulnerability in Bash.
The fix is now available in OS X users' Software Update. It would, perhaps, also be useful if the Apple Knowledge Base article linked to the update were also updated to mention the Bash update. That, however, probably indicates that Cupertino is on the scramble just as much as the rest of the tech sector.
F5 has posted its Shellshock vulnerability list here, and it's depressing reading.
The vulnerability affects a bunch of its BIG-IP products, the ARX, Enterprise Manager and BIG-IQ systems, but not F5's FirePass or LineRate proxy systems.
Because there are relatively few vendor fixes from F5, the company currently recommends limiting access to its BIG-IP configuration utility to secure networks and trusted users, so as to keep outsiders from getting access to the shell. Users can also apply rules in BIG-IP, LineRate and ASM products as an interim mitigation strategy.
Meanwhile, CVEs continue to emerge and get patched. The latest, described here, addresses CVEs that have emerged since September 27. As a post at Rapid7 notes in an update to its post tracking Shellshock-related bugs, “If you applied the ShellShock-related patches before Saturday September 27, you likely need to apply this new patch”. ®