My question is about the community response to Shellshock.
What improvements were made in either the Linux development cycle or in the recommendation to its users to prevent something like Shellshock/Heartbleed from happening again?
Asked
Active
Viewed 104 times
0
-
I'm not really sure what you asking, and you might have some assumptions that aren't entirely correct that drive this question. Linux isn't a company that produces software that has a development cycle. Linux is a bazaar of different vendors that collaborate together but are also competing with one another. It's a bit like asking how has the world has acted after Ebola to prevent another disease from spreading. In that example, the natural question is which country, and which disease? – Steve Sether Mar 23 '15 at 18:18
-
ShellShock is related to how bash is implemented. It was already patched in Bash. You might want to look at this [canonical question and answer regarding ShellShock.](https://security.stackexchange.com/questions/68168/is-there-a-short-command-to-test-if-my-server-is-secure-against-the-shellshock-b) – RoraΖ Mar 23 '15 at 18:24
1 Answers
2
I don't believe any improvements were made to the Linux development cycle in response to ShellShock. As "the vulnerabilities had existed since version 1.03 of Bash released in September 1989" (Wikipedia), it's not considered a current development cycle issue. (And insofar as it is, it's a universal lesson: "don't write buggy code, and find it if you do", that everyone tries and fails to learn).
The recommendation to users was: patch. That was the last recommendation before that, and will be the first recommendation on the next bug. In a world where software is imperfect, patching promptly is the best defense.
gowenfawr
- 71,975
- 17
- 161
- 198
-
In the case of shellshock, it was more a bad and dangerous design decision than a bug. – Stéphane Chazelas Jan 28 '19 at 08:17