actually shellshock was the worst from a “drop everything and patch all your servers” perspective because it enabled trivial RCE and was wormablehttps://twitter.com/internetofshit/status/948693817556914176 …
But it was fixable (didn't require hackish mitigations) and was a complete non-event for those of us not using bash as /bin/sh or login shell. :-)
-
-
while obviously nowhere near meltdown/spectre, the shellshock fix was a rough ride and was ultimately only fixed by incompatibly changing an existing feature
-
Was there anything that relied on how the feature was implemented? It seems like the only thing that would be incompatible would be multiple bash versions in the same login session. (Also arguably the namespacing thing wasn't strictly necessary to the fix)
-
well, the conclusion was "getting the parser safe is an endless can of worms, so we have to do the namespace thing". but the incompatibility apparently wasn't a big deal as almost nobody used the feature anyway.
-
I thought they also fixed the parser too though. In fact I distinctly remember vulnerability test instructions that suggested an early fix that *only* fixed the parser. (Namespace thing is still good for defense in depth though obviously)
-
-
I'm not sure anyone thoroughly tested the parser after that, because the general conclusion was "when we have the namespace fix (from Florian Weimer) the other bugs don't matter"
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.